Permission Hierarchy Review

[sfreudenthaler]

Parent Issue

https://github.com/dotCMS/private-issues/issues/31

Task

I got the following from @mbiuki

Roles and tools

As a limited user with access to the config tool group, I am able to change the access for the CMS Administrator role, which doesn’t make sense as I should not be able to limit access for admins.

Proposed Objective

Security & Privacy

Proposed Priority

Priority 3 - Average

Acceptance Criteria

from @mbiuki

possible acceptance criteria

• Audit and adjust role permissions to ensure limited users cannot alter higher-level roles or access restricted tools
• Disable or hide actions for which users do not have permissions and provide clear indications of these restrictions.

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

• original issue in wrong repo
• Parent issue that was the source for this issue being created: https://github.com/dotCMS/private-issues/issues/31
  • duplicate of that parent issue https://github.com/dotCMS/core/issues/27909
  • PR that fixed the original security flaw https://github.com/dotCMS/core/pull/27912
• deep dive in slack convo

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

No response

Sub-Tasks & Estimates

No response

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.