[4.0.0] -> losing admin role while logging in

RocketChat / Rocket.Chat

The communications platform that puts data protection first.

https://rocket.chat/

Other

40.4k stars 10.51k forks source link

[4.0.0] -> losing admin role while logging in #23327

Closed TimmiORG closed 3 years ago

TimmiORG commented 3 years ago

Description:

[4.0.0] -> losing admin role while logging in

Steps to reproduce:

Give nomal user in addition the admin role through "make Admin" on selected user
User receives admin role in user list
logout / login user with the new admin role
admin role removed from user

Expected behavior:

The admin role should stay with the user until removal.

Actual behavior:

Admin role removed after login on the user.

Server Setup Information:

Version of Rocket.Chat Server: 4.0.0 rc4
Operating System: Rocky Linux 8
Deployment Method: tar
Number of Running Instances: 3
DB Replicaset Oplog: yes
NodeJS Version: 12.20.1
MongoDB Version: 4.2.17

Client Setup Information

Desktop App or Browser Version: App: 3.5.6
Operating System: Fedora 34

User accounts are LDAP based.

morenstrat commented 3 years ago

I can confirm this issue. It happens when "Update User Data on Login" is enabled in the LDAP -> Data Sync settings. All roles other than "user" are affected, not just the "admin" role. This is a security issue IMHO. Since the LDAP group to user role mapping was removed from CE, the data sync should not change user roles.

rijusougata13 commented 3 years ago

hi, I'd love to contribute in this issue. Can someone guide me where should I start which files I should look into ?

TimmiORG commented 3 years ago

You are right, same happened also for other rights like live chat agents.

I can confirm this issue. It happens when "Update User Data on Login" is enabled in the LDAP -> Data Sync settings. All roles other than "user" are affected, not just the "admin" role. This is a security issue IMHO. Since the LDAP group to user role mapping was removed from CE, the data sync should not change user roles.

richieri commented 3 years ago

I'm facing this issue also. I was able to login again with admin role disabling ldap for my user (change myusername to your user name):

db.users.update({username:"myusername"}, {$set: {'ldap' : false}})

then I added the user to admin role:

db.users.update({username:"myusername"}, {$set: {'roles' : [ "admin" ]}})

I think you may try to login with the same password, but, if it does not work, you can try to reset your user password to 12345 with: db.getCollection('users').update({username:"myusername"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } })

I'm not sure if this is the best way to fix it while we wait for 4.0.1, but it worked for me =D

maeries commented 3 years ago

db.users.update({username:"myusername"}, {$set: {'roles' : [ "admin" ]}})

When I do that it returns WriteResult({ "nMatched" : 0, "nUpserted" : 0, "nModified" : 0 }) And I still don't have admin privileges

sampaiodiego commented 3 years ago

@maeries please update to 4.0.1 and give admin from the UI.. there is no need to execute commands on database since the bug was already fixed.

maeries commented 3 years ago

@sampaiodiego I already updated to 4.0.1. My problem is that currently there is no admin that could give admin privileges to other users in the UI

sampaiodiego commented 3 years ago

if there is no admin in the whole server, the next user that registers will be admin.