Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Require group for logins isn't working properly

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Require group for logins isn't working properly


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Gagné Sébastien <>, "" <>
  • Subject: [grouper-users] RE: Require group for logins isn't working properly
  • Date: Thu, 6 Dec 2012 16:32:47 +0000
  • Accept-language: en-US

Which version do you have?  2.1.3 from a certain date?

 

Also, did you set a lite ui group too?  Maybe set to same group as admin?

 

#users must be in this group to be able to login to the UI

#note: if they are in the this group, then they can use the lite ui too

require.group.for.logins=

 

#users must be in this group to be able to login to the lite membership update UI (if not in require.group.for.logins)

require.group.for.membershipUpdateLite.logins=

 

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Gagné Sébastien
Sent: Thursday, December 06, 2012 10:26 AM
To:
Subject: [grouper-users] Require group for logins isn't working properly

 

Hi,

In media.properties we defined a group required for logins :

media.properties:require.group.for.logins=etc:GroupeAccesUI

 

But the behaviour is “leaky”. A user out of this group can access and modify groups using the lite UI. Here is our use case :

 

Connect to grouper UI

Authenticate with CAS with a user NOT in GroupeAccesUI

Error message is shown that I must be in the group

Click on the Lite UI Link (clicking on other AdminUI’s functions still gives me the message)

Select Group members

Then in the search box the user can search and select any group where “GrouperAll”/EveryEntity has Admin or Optin privilege.

Then in manageMemberLite the user that shouldn’t have any access to the Grouper UI can modify the groups or the members.

 

Is it possible to block this ? This is a serious security concern here and prevents us from going in production for the moment.

 

Thanks

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11

 




Archive powered by MHonArc 2.6.16.

Top of Page