[Bug]: Lizmap admin rights management: security flaw? #5218
Open
Description
What is the bug? (in English)
Recently i started to work more with the user rights management - i discovered one thing which troubles me a bit: If i give a user (or a usergroup) the right to change the rights of other users, this users can then promote other users (and themselfes) into the "admins" group and therefore escalate their rights. Can you somehow prevent that? As a user, i should not be able to grant rights which are higher than my currently owned rights i think..
Steps to reproduce the issue
Lizmap Admin Interface
Grant User the "Change User Rights" permission
-> The granted user can promote other users without any restrictions
Versions, safeguards, check summary etc
Versions :
- Lizmap Web Client : 3.8.4 - commit be354fc be354fcbc
- Lizmap plugin : 4.4.6
- QGIS Desktop : 3.34.13
- QGIS Server : 3.34.14
- Py-QGIS-Server : not used
- QGIS Server plugin atlasprint : 3.4.1
- QGIS Server plugin lizmap_server : 2.12.0
- QGIS Server plugin wfsOutputExtension : 1.8.2
List of Lizmap Web Client modules :
* altiProfil : 0.5.8 * altiProfilAdmin : 0.5.8
List of safeguards :
* Mode : normal
* Allow parent folder : no
* Prevent other drive : yes
* Prevent PG service : yes
* Prevent PG Auth DB : yes
* Force PG user&pass : yes
* Prevent ECW : yes
Check Lizmap plugin
- I have done the step just before in the Lizmap QGIS desktop plugin before opening this ticket. Otherwise, my ticket is not considered valid and might get closed.
Operating system
Ubuntu 22.04
Browsers
Firefox
Browsers version
Firefox 89
Relevant log output
No response