You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Currently, when creating new users, there is no way to limit the roles a user with permissions to create other users can assign (at least I'm not aware of it). But this looks like a security issue to me, because non-admin users with a right to create new admin users can thus effectively make themselves admins by logging in as this newly created user.
To Reproduce
Steps to reproduce the behavior:
Create a new user role, e.g. Editor with permissions to create users
Create a new user with the Editor role
Log in as this editor user
Create a new user
See how this editor can create a user with any user role including admin users.
Expected behavior
A user with a given role should not be able to create admin users (and in fact it should be possible to define a set of roles this user can assign to a new user, see getkirby/ideas#316
Screenshots
If applicable, add screenshots to help explain your problem.
Kirby Version
3.2.0rc2
The text was updated successfully, but these errors were encountered:
Describe the bug
Currently, when creating new users, there is no way to limit the roles a user with permissions to create other users can assign (at least I'm not aware of it). But this looks like a security issue to me, because non-admin users with a right to create new admin users can thus effectively make themselves admins by logging in as this newly created user.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A user with a given role should not be able to create admin users (and in fact it should be possible to define a set of roles this user can assign to a new user, see getkirby/ideas#316
Screenshots
If applicable, add screenshots to help explain your problem.
Kirby Version
3.2.0rc2
The text was updated successfully, but these errors were encountered: