CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +43 frameworks worldwide: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber and so much more
I removed import { fail } from 'assert'; in "frontend/src/routes/(app)/users/[id=uuid]/edit/+page.server.ts", it seems like it was an error surely from someone who auto-imported the wrong fail function in a previous commit.
According to this Mixin definition the "name" field isn't unique which means there may multiple UserGroup object with the same name :
class NameDescriptionMixin(AbstractBaseModel):
name = models.CharField(max_length=200, verbose_name=_("Name"), unique=False)
I am not sure having 2 user groups with the exact same name should be authorized by the application, is this normal ?
If some evil user could create a user group with the same name as the admin group and bypass some permission checks.
To address this potential issue in my code i always added builtin=True when fetching the admin group since builtin objects are meant to be immutable.
I removed import { fail } from 'assert'; in "frontend/src/routes/(app)/users/[id=uuid]/edit/+page.server.ts", it seems like it was an error surely from someone who auto-imported the wrong fail function in a previous commit.
According to this Mixin definition the "name" field isn't unique which means there may multiple UserGroup object with the same name :
I am not sure having 2 user groups with the exact same name should be authorized by the application, is this normal ? If some evil user could create a user group with the same name as the admin group and bypass some permission checks. To address this potential issue in my code i always added builtin=True when fetching the admin group since builtin objects are meant to be immutable.