Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 2.5.3
Affects Version/s: 2.4.3
Component/s: Security
Labels:
None

Operating System:
ALL
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

When calling AddUser to add a new user or modifying the roles array no verification is done that the role actually exists.

This allows for simple typos to cause unpredictable authorization behavior and potentially permission problems which are very difficult to troubleshoot. If the system allowed for custom defined roles the case would be even stronger.

related to

SERVER-6246 Manipulate user objects exclusively via commands

Closed

Assignee:: Spencer Brody (Inactive)

Reporter:: Andreas Nilsson (Inactive)

Participants:: Andreas Nilsson, David Hows, Spencer Brody

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: Apr 24 2013 01:11:13 PM UTC

Updated:: Jul 11 2016 05:59:35 PM UTC

Resolved:: Sep 20 2013 03:50:45 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates