Prevent update of role for normal user #31

New Issue

Open

opened 2021-06-09 10:39:24 +02:00 by christoph.lienhard · 0 comments

christoph.lienhard commented 2021-06-09 10:39:24 +02:00 (Migrated from git.verdigado.com)

Copy Link

Currently, each person can update their own row in the person table. This includes their own role which enables privilege escalation.

Prevent that.

Thing to consider:

• in principle, roles must be visible to some extend to everyone (at least filtering for candidates and editors has to be possible for everyone)
• editors still can change roles of users
• Views might be a solution, consider https://www.2ndquadrant.com/en/blog/how-do-postgresql-security_barrier-views-work/ and https://www.graphile.org/postgraphile/views/

Currently, each person can update their own row in the person table. This includes their own role which enables privilege escalation. Prevent that. Thing to consider: * in principle, roles must be visible to some extend to everyone (at least filtering for candidates and editors has to be possible for everyone) * editors still can change roles of users * Views might be a solution, consider https://www.2ndquadrant.com/en/blog/how-do-postgresql-security_barrier-views-work/ and https://www.graphile.org/postgraphile/views/

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

go-live

feature/#28

feature/#30

#33_introduce_arc42

develop

feature/#17

v0.1.0

Labels

Clear labels   

Documentation

Issues related to documentation enhancement

  

Infrastructure

Issues related to infrastructure, like docker-compose or setting up a test framework.

  

Redaktions-App

Issues related to the candymat redaktions app

  

User-App

Issues related to the candymat user app

  

backend

Issues related to the backend

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

  

Effort

High

estimated 24 hours of work

  

Effort

Low

estimated 4 hours of work

  

Effort

Medium

estimated 12 hours of work

  

Prio

High

Mission critical

  

Prio

Low

Nice to have

  

Prio

Medium

Improves function or usability substantially

  

Type

Bug

Prevents existing functionality from being used

  

Type

Feature

Adds new features

No Label

Documentation

Infrastructure

Redaktions-App

User-App

backend

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Effort

High

Effort

Low

Effort

Medium

Prio

High

Prio

Low

Prio

Medium

Type

Bug

Type

Feature

Milestone

Clear milestone

No items

No Milestone

MVP Redaktions-App

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: NB-Public/kandimat#31

No description provided.