[#24738] - Extend the checks to make sure only real user admins can create the accounts
- Fixed in Code Base
- 14 May 2020
- Medium
- Build: staging
- # 24738
- Diff
- zero-24:adminactivation_check
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #22603.
Summary of Changes
As discussed #22603 lets add core.manage to the required permissions
Testing Instructions
Requirements
- enable admin activation
- create an admin group that is not allowed to core.manage com_users
- create an real admin (default group)
- create an admin from the new group
- both users with sendMail enabled
Normal case
- register an account
- make sure only the account with core.manage gets the mail
- make sure the Registration completes
Non-normal case
- register an account
- open the link from the mail
- but login as user who does not have core.mange in com_users
- make sure there is a error message.
Expected result
add core.mange to the required permissions
Actual result
core.manage is not required to create accounts from the Frontend.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_users |
| Labels |
Added:
?
|
||
Doesn't looks like a good solution.
Any suggestions? And why does this not look like a good solution? It makes sure only users that can create users from the backend can also create / approve them from the Frontend.
Shall we test or not?
Shall we test or not?
Lets wait for @HLeithner 's answer on my question first.
if you don't have a better solution we can merge it but should really find a better solution.
if you don't have a better solution we can merge it but should really find a better solution.
Well can you explain what is your issue with the current solution? Maybe we can find a better solution than ;)
any update @HLeithner ?
@HLeithner gently reminder.
As we don't have a better solution at the moment I would merged this if we get some tests.
Great thanks, than happy testing
@joomla/bug-squad @joomla/security would be great to get some tests here as this also has a sec impact. :)
Drone is not happy. Des not look related to the patch.
@infograf768 Drone shows merge conflicts in the "clone" step ... so maybe that is related to this PR.
Drone / clone is happy now.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24738.
I have tested this item
Just had problems to understand which parameters to disable to fit test requirements....
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24738.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24738.
Thanks for the tests
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-05-14 12:50:44 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
?
|
||
Thanks
Thanks
Well, this change broke the possibility to allow for a more or less regular user to activate new user accounts from the front end. I don't think that was intended? Did you take that into account with the change you made? and did you test that?
Two days ago I updated to Joomla 3.9.19. Suddenly I notice my colleagues (who have no Joomla knowledge at all!) can no longer activate new user accounts through the activation link (https://xxxxxx.nl/log-in?task=registrat ... 82xxxxxxxx) provided in the System Email sent to them.
(The "New User Account Activation" setting is set to 'Administrator'.) Trying to activate a user gives an error message: "U bent niet gemachtigd om nieuwe accounts te activeren, meld u aan met een bevoorrecht account". Something like "You are not authorized to activate new accounts. Provide a privileged account".
The user account used to activate the new users from the frontend is a member of the User Groups 'Registered' and 'Publisher'. With this user account and these memberships I could always activate new users. Notice this user account is not (and was never) a member of the User Groups 'Manager' or 'Administrator'.
Adding the user account used to activate the new users to the User Group 'Administrator' fixed the problem. With that membership I can activate new users. But I don't want this account to have the rights associated with the 'Administrator' group! (Like access to the backend administration panel.)
I think this consequence was overseen???
It was not overseen. It was the intention of this PR. The idea is that only "administrators" can activate users. Although you don't have to use Administrator user group. You can create a custom group with the right permissions for com_users.
Yeah, you can,... I know quite a lot about using Joomla and I maintain several Joomla sites, but fiddling with user groups and rights is a whole different cookie, That really is too difficult and risky for Joe Average Joomla Admin! Please consider to go back to the drawing board?
It is far more risky to let Registered and Publisher default groups activate new users.
@HLeithner You were hesitant about this change. What do you think about my point? This change indeed makes sure only users that can create users from the backend can also create/approve them from the Frontend, but it blocks users that have no admin skills/rights to approve new users from the frontend.
@infograf768 and making them admin is less risky?
Anyhow, these users with Registered and Publisher rights do get create, edit and edit_state on top of edit_own on com_users by default. Instead of && !$user->authorise('core.manage', 'com_users') removing these permissions would have been sufficient?
Yes, realistically, low privileged users should not have create permissions in com_users.
@KrejtSparck I see no problem with this PR, the concern was that you we don't have the possibility to combine rights in joomla, somehting like you need "right x" to have "right y". The requirement is not wrong if you can't manage user you shouldn't be able to manage them.
Doesn't looks like a good solution.