search

ome / omero-web

Django-based OMERO.web client
https://www.openmicroscopy.org/omero
16 stars 29 forks source link

createExperimenterWithPassword SecurityViolation Cannot change the password of a more privileged user #567

Open will-moore opened 1 month ago

will-moore commented 1 month ago

https://www.openmicroscopy.org/qa2/qa/feedback/41761/

Traceback (most recent call last):

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/decorators.py", line 538, in wrapped
retval = f(request, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/decorators.py", line 597, in wrapper
context = f(request, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/webadmin/views.py", line 526, in manage_experimenter
conn.createExperimenter(

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/webclient/webclient_gateway.py", line 1129, in createExperimenter
exp = admin_serv.createExperimenterWithPassword(

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omero/gateway/__init__.py", line 4859, in __call__
return self.handle_exception(e, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/webclient/webclient_gateway.py", line 2123, in handle_exception
super(OmeroWebSafeCallWrapper, self).handle_exception(e, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omero/gateway/__init__.py", line 4856, in __call__
return self.f(*args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omero_api_IAdmin_ice.py", line 1866, in createExperimenterWithPassword
return _M_omero.api.IAdmin._op_createExperimenterWithPassword.invoke(self, ((user, password, defaultGroup, groups), _ctx))

omero.SecurityViolation: exception ::omero::SecurityViolation
{
serverStackTrace = ome.conditions.SecurityViolation: Cannot change the password of a more privileged user.
at ome.logic.AdminImpl.changeUserPassword(AdminImpl.java:1274)
at ome.logic.AdminImpl.createExperimenterWithPassword(AdminImpl.java:722)
sbesson commented 1 month ago

I suspect the easiest workflow to reproduce this type of security violation would be to: 1- create a light administrator with permissions to create other users 2- log in to OMERO.web using this light administrator 3- try to create a full administrator using the OMERO.web admin UI i.e. create a new user and add it to the system group