Managers group can modify only the accounts database

stephdl · July 20, 2017, 12:42pm

Playing with the panel delegation I maybe found a bug in /usr/share/nethesis/NethServer/Authorization/base.json

{
    "Id": 1328028218,
    "Effect": "ALLOW",
    "Subject": ".groups HAS managers",
    "Action": ["QUERY OR MUTATE OR INSTANTIATE", "WRITE"],
    "Resource": [".category IS Management", "Nethgui\\System\\EsmithDatabase:accounts"],

    "Description":
        "Managers can access modules in Management category and write accounts database"
}

like you can see the Managers group can change settings in the Management section, but only the accounts database can be modified by the members of this group.

It gives an issue for example for the virtualhost panel because the database is vhosts (no permission granted on it)

davidep · July 20, 2017, 3:16pm

I agree, it should be added to the Resource list.

stephdl · July 20, 2017, 3:19pm

In fact you cannot find the database name, it should be granted to all databases. Why because you will think to official databases, but not for the custom one (mine, or others else)

davidep · July 20, 2017, 3:23pm

Right, it is possible to provide additional rules from individual modules though… But we could also grant access to all DBs by default and enforce rules at module level only.