github-actions[bot]
commented
6 months ago AI-Assisted Response:
Summary
Issue Title: Restrict Users from Changing Their Own Role
Currently, within the user management system, users are given the ability to modify their own roles. For example, a user with the "user management" role is permitted to perform all actions within the user domain but should not have access to other permissions. However, this user can switch their role to another one and, as a result, circumvent the intended permission limitations.
Expected Behavior: The system needs to be updated to prohibit users from self-assigning roles. Requests for role changes should be made through the designated "request role" panel, and a user must not be allowed to approve their own role change requests.
Issue Category
- Bug: Security Issue regarding improper role management and permission settings.
Questions for Further Clarification
- @lduf, can you provide details on the user roles that currently exist within the system, and which specific actions they're allowed to perform?
- Is there an existing mechanism in the request panel that ensures a user cannot approve their own role request, or does this need to be implemented?
- Could you specify which part of the system (e.g., frontend, backend, admin panel) allows the self-assignment of roles?
- Are there any logs or audit trails currently capturing the role change actions that users perform?
- Is the role management functionality part of a specific release or version of the system we should focus on?
Cushion description User shouldn't be able to change his own role.
Exemple : user management role : can do * in user but nothing else. He can change his role to another one and then bypass the system.
Expected behavior Do not allow any user to change his own role. The user SHOULD ask for a new role through the request role pannel. Also a user can't accept its own request.
Additional information Ø