To reproduce error:
1. Create Role SubAdmin
2. Create User (user X) with SubAdmin role .
3. Assign user X "Administer users" Role. (path: admin/people/permissions)
4. Test with Add user and Edit user: OK. "en/admin/people/create" or "/user/%user/edit". User X cannot assign Administrator Role.
(I use Role delegation (role_delegation) module and Administer Users by Role (administerusersbyrole) to limit roles to be asigned).
5. On Page "admin/people":
5.1 Select some normal users (authenticated user).
5.2 Select Operation:
<option value="action::views_bulk_operations_user_roles_action">Change user roles</option>
5.3: Click "Excute"
6. I introduced to Page: "Set parameters for Change user roles", all Roles are shown
7. I select Administrator Role and click Next.
8. Confirm page showed: "Are you sure you want to perform Change user roles on the selected items?". I click "Confirm".
9. Batch Operation run.
10. Users has Administrator Role. I can change or remove any roles of any users.
11. Actions permissions (VBO) (actions_permissions) Enabled read: https://www.drupal.org/node/2109943
12. THIS ERROR still exists! IF select "Execute Modify user roles" of Actions permissions (VBO) for user X
THIS ERROR IS VERY VERY DANGEROUS!
| Comment | File | Size | Author |
|---|---|---|---|
| security-error.png | 6.99 KB | trong.nguyen.tcec |
Comments
Comment #2
trong.nguyen.tcec commentedRelated to: https://www.drupal.org/node/2109943
Comment #3
trong.nguyen.tcec commentedComment #4
shrop commentedI have notified the Drupal Security Team of this issue. In the future, please follow this guide to report security issues: https://www.drupal.org/node/101494. Especially when you see this on the project; "Stable releases for this project are covered by the security advisory policy. Look for the shield icon below."
Thanks!
Comment #5
mlhess commentedComment #6
drummPublishing since the Drupal security team determined this is not a security issue which would get an advisory. Any fix would be a security hardening.
Please report potential security issues confidentially in the future.