Ticket #12528 (confirmed Bug)
'Site Administrator' users are presented with the UI for removing group members from Manager groups
Reported by: | davidjb | Owned by: | davisagli |
---|---|---|---|
Priority: | minor | Milestone: | 4.x |
Component: | User Experience and Interface | Version: | 4.2 |
Keywords: | patch | Cc: |
Description
Tested on Plone 4.1.3 and Plone 4.2b2.
If I have a user who has the 'Site Administrator' global role assigned, the user is able to load group membership listings ('@@usergroup-groupmembership') for groups with the 'Manager' role (eg the 'Administrators' group), and within said listings, is presented with the UI for removing group members which the user shouldn't be able to do.
Attempting to remove group members doesn't actually do anything (no error, no message) - the members remain in the given group. However, the form interface shouldn't be shown at all.
Suggest using something like the attached patch - uses the same condition as checking whether to show the add group members form; don't show the remove users interface if the group has the Manager role (and current user isn't a Manager themselves).
The actual listing of group members remains, as does the ability for a Site Administrator to modify Administrator group properties (eg dashboard, portlets etc). Unsure if either of these are the desired behaviour. It's probably unlikely, but someone with malicious intent could use this to their advantage against someone with Manager rights.
Attachments
Change History
Changed 4 years ago by davidjb
-
attachment
remove-members.patch
added
Prevent Site Administrators seeing the UI to remove members from Manager-role groups