Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#22603] - [RFC] ACL check to admin activate accounts in the frontend

J3 Issue ? ?
avatar zero-24
zero-24
14 Oct 2018

Steps to reproduce the issue

With 3.8.13 the JSST implemented an ACL check to make sure only logged-in people can activate the accounts. In that process we found out that in order to get the admin account mail you just have to have the permission core.create and enabled "System Mails" in the user profile.

https://github.com/joomla/joomla-cms/blob/staging/components/com_users/models/registration.php#L139-L177

While in theorie this sounds good we have a loop hole here:
46311386-52e70800-c5c2-11e8-8da7-2d8373ff6a0d

As authors (or possible any other group that get core.create as global permission) have the global core.create permission he can get that the activation mail and also activate accounts. In oder to create accounts from the backend you are required to have core.manage for com_users too, which the users does not have.

Proposal

The proposal would be an core.activate permission which would result into may places where similar things happen we need to create similar new permissions. I'm not sure what is the correct place or if we should accept the current behavior

avatar zero-24 zero-24 - open - 14 Oct 2018
avatar joomla-cms-bot joomla-cms-bot - change - 14 Oct 2018
Labels Added: ? ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 14 Oct 2018
avatar joomla-cms-bot joomla-cms-bot - labeled - 14 Oct 2018
avatar PhilETaylor
PhilETaylor - comment - 14 Oct 2018

@joomla/security

I'm pretty sure @mbabker already suggested some new permissions ...

avatar mbabker
mbabker - comment - 14 Oct 2018

To be clear, it's not a loophole. Rather, to effectively complete this particular task you either need a compound permission set (core.manage + core.create, something that can't be reflected in the UI) or this particular task needs its own permission. If we had a fixed set of user groups, I would be more inclined to call it a security issue, but because we have customizable groups you do have to focus specifically on the permission(s) required to complete a task.

avatar brianteeman brianteeman - change - 30 Oct 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 30 Oct 2018
avatar franz-wohlkoenig franz-wohlkoenig - change - 4 Mar 2019
Status New Discussion
avatar franz-wohlkoenig franz-wohlkoenig - change - 29 Mar 2019
Category ACL
avatar zero-24
zero-24 - comment - 27 Apr 2019

Please see: #24738

avatar zero-24 zero-24 - close - 27 Apr 2019
avatar zero-24 zero-24 - change - 27 Apr 2019
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2019-04-27 12:36:29
Closed_By zero-24
Labels Added: ?
Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 27 Apr 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 27 Apr 2019
avatar zero-24 zero-24 - change - 27 Apr 2019
Labels Removed: ?
avatar zero-24 zero-24 - unlabeled - 27 Apr 2019

Add a Comment

Login with GitHub to post a comment