Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Require group for logins isn't working properly

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Require group for logins isn't working properly


Chronological Thread 
  • From: Gagné Sébastien <>
  • To: <>
  • Subject: [grouper-users] Require group for logins isn't working properly
  • Date: Thu, 6 Dec 2012 10:26:20 -0500

Hi,

In media.properties we defined a group required for logins :

media.properties:require.group.for.logins=etc:GroupeAccesUI

 

But the behaviour is “leaky”. A user out of this group can access and modify groups using the lite UI. Here is our use case :

 

Connect to grouper UI

Authenticate with CAS with a user NOT in GroupeAccesUI

Error message is shown that I must be in the group

Click on the Lite UI Link (clicking on other AdminUI’s functions still gives me the message)

Select Group members

Then in the search box the user can search and select any group where “GrouperAll”/EveryEntity has Admin or Optin privilege.

Then in manageMemberLite the user that shouldn’t have any access to the Grouper UI can modify the groups or the members.

 

Is it possible to block this ? This is a serious security concern here and prevents us from going in production for the moment.

 

Thanks

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11

 




Archive powered by MHonArc 2.6.16.

Top of Page