Ticket #12528 (confirmed Bug)

Opened 4 years ago

Last modified 4 years ago

'Site Administrator' users are presented with the UI for removing group members from Manager groups

Reported by: davidjb Owned by: davisagli
Priority: minor Milestone: 4.x
Component: User Experience and Interface Version: 4.2
Keywords: patch Cc:

Description

Tested on Plone 4.1.3 and Plone 4.2b2.

If I have a user who has the 'Site Administrator' global role assigned, the user is able to load group membership listings ('@@usergroup-groupmembership') for groups with the 'Manager' role (eg the 'Administrators' group), and within said listings, is presented with the UI for removing group members which the user shouldn't be able to do.

Attempting to remove group members doesn't actually do anything (no error, no message) - the members remain in the given group. However, the form interface shouldn't be shown at all.

Suggest using something like the attached patch - uses the same condition as checking whether to show the add group members form; don't show the remove users interface if the group has the Manager role (and current user isn't a Manager themselves).

The actual listing of group members remains, as does the ability for a Site Administrator to modify Administrator group properties (eg dashboard, portlets etc). Unsure if either of these are the desired behaviour. It's probably unlikely, but someone with malicious intent could use this to their advantage against someone with Manager rights.

Attachments

remove-members.patch Download (2.7 KB) - added by davidjb 4 years ago.
Prevent Site Administrators seeing the UI to remove members from Manager-role groups

Change History

Changed 4 years ago by davidjb

Prevent Site Administrators seeing the UI to remove members from Manager-role groups

comment:1 Changed 4 years ago by jonstahl

  • Owner set to davisagli
  • Component changed from Unknown to User Experience and Interface
  • severity changed from Untriaged to Normal

comment:2 Changed 4 years ago by jonstahl

  • Keywords patch added

comment:3 Changed 4 years ago by kleist

  • Status changed from new to confirmed

comment:4 Changed 4 years ago by kleist

In Plone 4.3 coredev buildout, when a Site Admin. visits @@usergroup-groupmembership he gets an "AttributeError: groupname". See. #13052

Note: See TracTickets for help on using tickets.