Managers group can modify only the accounts database

v7

(Stéphane de Labrusse) #1

Playing with the panel delegation I maybe found a bug in /usr/share/nethesis/NethServer/Authorization/base.json

{
    "Id": 1328028218,
    "Effect": "ALLOW",
    "Subject": ".groups HAS managers",
    "Action": ["QUERY OR MUTATE OR INSTANTIATE", "WRITE"],
    "Resource": [".category IS Management", "Nethgui\\System\\EsmithDatabase:accounts"],

    "Description":
        "Managers can access modules in Management category and write accounts database"
}

like you can see the Managers group can change settings in the Management section, but only the accounts database can be modified by the members of this group.

It gives an issue for example for the virtualhost panel because the database is vhosts (no permission granted on it)


(Davide Principi) #2

I agree, it should be added to the Resource list.


(Stéphane de Labrusse) #3

In fact you cannot find the database name, it should be granted to all databases. Why because you will think to official databases, but not for the custom one (mine, or others else)


(Davide Principi) #4

Right, it is possible to provide additional rules from individual modules though… But we could also grant access to all DBs by default and enforce rules at module level only.