[isf-wifidog] Unsuitable Admin Access (html)

Benoit Grégoire benoitg at coeus.ca
Mer 5 Mar 23:11:41 EST 2008 

On Wednesday 05 March 2008, Bruno Remy wrote:
> Hello,
>
> When a single user (not an admin) logs into tha "admin" page
> (http://auth.zapquebec.org/admin/index.php)
> he is not supposed to see this frame :

Actually, the bug it the other way around ;)  Everyone is supposed to be able to add content to the library (hopefully artistic), and then ask to put it up on hotspots.  It's what wifidog has been designed for!

Save for a few bugs that occasionally broke that feature, it has been in wifidog since almost the begining!

But right now, because permission system isn't fully implemented yet (specifically default system roles aren't implemented yet) so there is no "validated user" role that we can tie the SERVER_PERM_EDIT_CONTENT_LIBRARY to,  So right now only users that have been assigned a role that includes SERVER_PERM_EDIT_CONTENT_LIBRARY see that menu option (and indeed, my zap québec user does NOT see it), but don't expect that to continue.  Working on this specific permission as a proof of concept is how I noticed that I needed to add default roled before I continue, but I didn't realize that I broke something I consider a fundamental feature.

> It's a critical security failure, because he can acces to the "reusable
> content library" and not only in "Read-only" but he  can modify or
> delete items !

Only for items the user owns (or has been granted access to)

> This feature  has to be disabled.

In my opinion, this feature has to be restored!

There has been repeated request for people to help finish the permission system and add access control to the different areas of wifidog.  That will make this (and a lot more) configurable according to every groups choices. I spent a few hundred hours creating the API, documenting it really well, and implementing most of it, as well as using in in several places already (as examples).  Unfortunately, so far I dind't get any help.


-- 
Benoit Grégoire
Technologies Coeus inc.
-------------- section suivante --------------
Une pièce jointe HTML a été nettoyée...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20080305/2f1003e1/attachment.htm

Plus d'informations sur la liste de diffusion WiFiDog