search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.45k stars 2.41k forks source link

AssignRoleToUsers should not be implied by EditUsers #16756

Closed MikeAlhayek closed 1 day ago

MikeAlhayek commented 2 months ago

In the permission structure we currently have. The AssignRoleToUsers permission should NOT be implied by EditUser. AssignRoleToUsers should be explicitly granted instead.

Change

https://github.com/OrchardCMS/OrchardCore/blob/dd03cf8c998b014303728e20b398239e49ff3dc8/src/OrchardCore/OrchardCore.Users.Core/CommonPermissions.cs#L24

to 

    public static readonly Permission AssignRoleToUsers = new("AssignRoleToUsers", "Assign any role to users", true);
github-actions[bot] commented 2 months ago

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.

sebastienros commented 2 weeks ago

I agree with the issue description.

However I think it may be fine as a non-breaking change. Kind of a fix. Would the fix also add the permission by default to the roles that have Edit Users?

MikeAlhayek commented 2 weeks ago

If we provide a migration to grant the permission for all the roles, then we won't break anything. But we would have to make sure that migration does run for new tenants.