search

jakubgarfield / Bonobo-Git-Server

Bonobo Git Server for Windows is a web application you can install on your IIS and easily manage and connect to your git repositories. Go to homepage for release and more info.
http://bonobogitserver.com
MIT License
1.81k stars 603 forks source link

[Bug] Permission Control #860

Open BetterYan opened 4 years ago

BetterYan commented 4 years ago

Version 6.5.0

17 April 2019 Normal user can add himself with an admin role. It can be reproduced with below sequence

  1. Set a normal user as admin. We call it User1
  2. Login with Uer1
  3. Change role of User1, disable the admi role with another Admin account (It can be done with chrome incognito feature / Or user another browser)
  4. Refresh the User1 web page. The respositories are OK. But the User button is still available for User1. He can add admin role to himself. <--- This is the point
willdean commented 4 years ago

Thanks for this - this type of problem is very common with the kind of cookie auth which ASP.NET (and Core) applications use. The issue is that User1 has a cookie which says he's an admin, and there's nothing about revoking his admin rights (via another session) which can directly reach out to his browser and revoke the cookie.

The only solution is to re-validate the cookie against the database on every access, which isn't usually considered to be very good for performance.

However, I'd say that Bonobo is not usually used in very high-volume environments, and it would probably make sense to make sure that the cookie is revalidated more often.

BetterYan commented 4 years ago

@willdean To my opinion, it's a minor bug that that 'normal' user can edit user profie at the fronend. But the backend side accepts the 'set as admin' request. It's the major issue.