search

Dolibarr / dolibarr

Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
https://www.dolibarr.org
GNU General Public License v3.0
5.45k stars 2.79k forks source link

An external user can modify admin permissions #27976

Open c3do opened 9 months ago

c3do commented 9 months ago

Bug

An external user can receive all permissions related to users and user groups. He can therefore update his own authorizations, but also the administrator's permissions.

Environment Version

18

Environment OS

No response

Environment Web server

No response

Environment PHP

No response

Environment Database

No response

Environment URL(s)

No response

Expected and actual behavior

An external user should not be able to receive certain permissions

Steps to reproduce the behavior

  1. Create an external user
  2. Give him all permissions related to users
  3. Log in with external user
  4. Navigate to Home > Users & Groups > List of users > The external user's card
  5. Navigate to the previous cards by clicking on the “<” arrow to the admin card
  6. Change permissions

Attached files

No response

altairis-tof commented 9 months ago

"Give him all permissions related to users" ???

c3do commented 9 months ago

@altairis-tof Screenshot 2024-02-08 09 59 56

altairis-tof commented 9 months ago

but why do you give him these permissions ?

c3do commented 9 months ago

but why do you give him these permissions ?

but why would it be permissible to give these permissions?

altairis-tof commented 9 months ago

good point, but this is not a bug. when you define external user you have to define permissions accordingly to what you want. maybe there is a usecase when these permissions have to be setable for external user ?

altairis-tof commented 9 months ago

after more thinking i agree with you; do you think you can do the fix PR ? @c3do

altairis-tof commented 9 months ago

i think the fix would be to forbid to define sensible permissions for external users. but i'd be glad to have @eldy point of view before we code anything.

eldy commented 9 months ago

By default an external user is always limited to its company (this is definition of external user so this rule should not be bypassed). So if we give him permission to edit users, he must have permission to edit users of only its company too (so other external users of the same company).

daraelmin commented 9 months ago

if permissions are limited in the future for external users, it will absolutely be necessary to correct the bug on the creation of an internal user from a member (see below).

For the moment, this poses little problem since we can grant them all the permissions, but if in the future we can no longer...

https://github.com/Dolibarr/dolibarr/issues/26392

JonBendtsen commented 9 months ago

if permissions are limited in the future for external users, it will absolutely be necessary to correct the bug on the creation of an internal user from a member (see below).

For the moment, this poses little problem since we can grant them all the permissions, but if in the future we can no longer...

26392

really? all permissions are automatically granted?

daraelmin commented 9 months ago

Permission are not automaticaly granted BUT it is possible to give them to a member who becomes a user, despite the fact that you can't turn a member into an internal user.

If it become impossible to give permission to an external user, we must offer the possibility to turn a member into an intenal user.

JonBendtsen commented 9 months ago

Permission are not automaticaly granted BUT it is possible to give them to a member who becomes a user, despite the fact that you can't turn a member into an internal user.

If it become impossible to give permission to an external user, we must offer the possibility to turn a member into an intenal user.

okay, that makes more sense. How come Dolibarr distinguishes between internal and external users?

daraelmin commented 9 months ago

If a user is linked to a thirdparty, it become an external user.

It is therefore possible to create an internal user from a member as long as they are not linked to a third party... but if they have to pay a membership fee, especially if online payment is possible or if accounting is enabled, there is a good chance that members will be linked to a third party.

For your information, once a member who is not linked to a third party becomes an internal user, it is possible to link the member to a third party without worry.

I'm not sure where this comes from.

JonBendtsen commented 9 months ago

If a user is linked to a thirdparty, it become an external user.

It is therefore possible to create an internal user from a member as long as they are not linked to a third party... but if they have to pay a membership fee, especially if online payment is possible or if accounting is enabled, there is a good chance that members will be linked to a third party.

For your information, once a member who is not linked to a third party becomes an internal user, it is possible to link the member to a third party without worry.

All our members have a linked thirdparty, but not all thirdparties are members.

Some of our members have a login so they can help run our organisation, like volunteers who might have an expense report and also our teachers so they can accept people into our classes.

We are a non profit dance organisation, we use dolibarr and a python flask form for registering for dance classes. Then from inside Dolibarr we validate orders and they are sent an email to pay, and then dolibarr auto creates an invoice.

daraelmin commented 9 months ago

I must correct my self:

An external user is a user directly linked to a thirdparty. So if a user is linked to a member wich is linked to a thirdparty, the user is internal.

Actualy, it is impossible to remoye the link between user and thirdparty without using SQL and it is impossible zo create a user from a member linked to a thirdparty without creating a link between the new user and the thirdparty member.

bos4711 commented 9 months ago

An external user is a user directly linked to a thirdparty.

What is the point of external users?

Or let me rephrase that: Let's say person X is listed as contact for third party Y. What purpose does it serve for anyone or anything that person X being an external user logs in to our Dolibarr?

daraelmin commented 9 months ago

First point : some thirdparty are not company. For example, a member is a thirdparty "physical person" which has no contact.

Second point : most Dolibarr administrators need their customers, external users, to be able to access their data, their customer account, to download invoices, check orders, track orders, etc.

JonBendtsen commented 9 months ago

First point : some thirdparty are not company. For example, a member is a thirdparty "physical person" which has no contact.

Second point : most Dolibarr administrators need their customers, external users, to be able to access their data, their customer account, to download invoices, check orders, track orders, etc.

yes all my thirdparties are private persons.

That access could be given without using a username/password, this could be a unique link. But even if they do have a user, then it could be some permissions that was given to a user if they have access to their own thirdparty data.

daraelmin commented 9 months ago

Some of this data may be confidential and/or regulated (rgpd et consort), such as postal addresses, emails, first and last names, telephones, etc.

It doesn't seem right to display them via a public link. I'm already rather uncomfortable with the public page for online renewal and payment of members' subscriptions (in the case of a trade union, we need to be able to guarantee people's anonymity, the same goes for members of political parties).

If, in addition, customers are allowed to update their data....

No, a password-protected personal space seems essential to me.

JonBendtsen commented 9 months ago

Some of this data may be confidential and/or regulated (rgpd et consort), such as postal addresses, emails, first and last names, telephones, etc.

It doesn't seem right to display them via a public link. I'm already rather uncomfortable with the public page for online renewal and payment of members' subscriptions (in the case of a trade union, we need to be able to guarantee people's anonymity, the same goes for members of political parties).

If, in addition, customers are allowed to update their data....

No, a password-protected personal space seems essential to me.

I don't mean a public link, and Dolibarr already shares the order, proposal and invoices using a unique link, so it can't be a totally wrong solution.

eldy commented 1 week ago

To summarize all the thread:

By default an external user is always limited to its company (this is definition of external user so this rule should not be bypassed). So if we give him permission to edit users, he must have permission to edit users of only its company too (so other external users of the same company). If external user can do more, it is a bug and must be fixed to be limited to external users in same company only.