Closed MGLL closed 7 months ago
Yes, manage-roles
seems like a privilege escalation flaw. We should either restrict it to the roles the user has, or make its use dependent on having all organization management roles.
@pnzrr Can you take care of prohibiting this in the UI?
I'll update the API to prohibit it.
@MGLL great find, PR issued to fix the Admin Portal piece.
Hello,
I might have found a "bug".
I have noticed that on our own account, even if we can't modify roles one by one, "set roles" actions are still available.
Version tested:
quay.io/phasetwo/phasetwo-keycloak:23.0.6
.This one could cause issue as we might want to delete some responsibilities to some organization members but not everything.
For example:
I think it could be great to block those 'set roles' actions also, so a user can't get access to higher "privilege" by himself.
See recording below of the example:
https://github.com/p2-inc/phasetwo-admin-portal/assets/16251642/6821c305-b44e-4498-84d7-ab1a9c843269