Project

General

Profile

Actions

Defect #11075

open

"Manage members" permission allows user to elevate own permissions

Added by Rick Mason over 11 years ago. Updated over 10 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

1. Create a role which has only one permission, "Manage members".
2. Create a user who is not in any groups, but is in the new role on a single project.
3. Log in as that user.
4. Go to the only project you can see, and click settings.
5. Click "Edit" next to your username and grant yourself access to any role. This can include a role which has full permissions to the project and its settings.

Granting a user "Manage members" is therefore equivalent to granting them the most powerful role available on a project, because they can elevate their own permissions.

They shouldn't be able to modify their own permissions. Arguably they shouldn't be able to grant permissions higher than their own to anyone else either.


Related issues

Related to Redmine - Feature #19707: Ability to limit member management to certain rolesClosedJean-Philippe Lang

Actions
Actions

Also available in: Atom PDF