For now the portal can reset the password of any user. The permission can be abused to break into accounts with elevated permissions. The ACI for 'System: Change User password' already forbids password changes to members of the admin group. There might be systems with other critical users.
The 'System: Change User password' permission should be replaced by a more limited permission that is restricted to self-service users. In order to limit the scope we have to introduce a set of additional group/role/permission
group: self-service users
role: Self-Service User
permission: 'System: Change Self-Service User password'
ACI similar to "permission:System: Change User password".
Self-registered users should be automatically added to the new group, too. It also allows the admin to track self-registered users more easily.
permission-add's target filter only supports groups. It makes sense, it's not one's privilege that somebody else is allowed to write to one's password field.
For now the portal can reset the password of any user. The permission can be abused to break into accounts with elevated permissions. The ACI for 'System: Change User password' already forbids password changes to members of the admin group. There might be systems with other critical users.
The 'System: Change User password' permission should be replaced by a more limited permission that is restricted to self-service users. In order to limit the scope we have to introduce a set of additional group/role/permission
role: Self-Service Userpermission: 'System: Change Self-Service User password'Self-registered users should be automatically added to the new group, too. It also allows the admin to track self-registered users more easily.