[Issue] "Set roles" still active for own profile

MGLL commented 8 months ago

Hello,

I might have found a "bug".
I have noticed that on our own account, even if we can't modify roles one by one, "set roles" actions are still available.

Version tested:

quay.io/phasetwo/phasetwo-keycloak:23.0.6.

This one could cause issue as we might want to delete some responsibilities to some organization members but not everything.

For example:

I allow a user to manage member's role within the organization, but I don't want him to manage invites, SSO, domains etc.
But with this level of access, the user can grant himself all roles and do whatever he wants in the organization.

I think it could be great to block those 'set roles' actions also, so a user can't get access to higher "privilege" by himself.

See recording below of the example:

https://github.com/p2-inc/phasetwo-admin-portal/assets/16251642/6821c305-b44e-4498-84d7-ab1a9c843269

xgp commented 8 months ago

Yes, manage-roles seems like a privilege escalation flaw. We should either restrict it to the roles the user has, or make its use dependent on having all organization management roles.

xgp commented 7 months ago

@pnzrr Can you take care of prohibiting this in the UI?

I'll update the API to prohibit it.

pnzrr commented 7 months ago

@MGLL great find, PR issued to fix the Admin Portal piece.

p2-inc / phasetwo-admin-portal

[Issue] "Set roles" still active for own profile #132