To reproduce error:
1. Create Role SubAdmin
2. Create User (user X) with SubAdmin role .
3. Assign user X "Administer users" Role. (path: admin/people/permissions)
4. Test with Add user and Edit user: OK. "en/admin/people/create" or "/user/%user/edit". User X cannot assign Administrator Role.
(I use Role delegation (role_delegation) module and Administer Users by Role (administerusersbyrole) to limit roles to be asigned).
5. On Page "admin/people":
5.1 Select some normal users (authenticated user).
5.2 Select Operation:
<option value="action::views_bulk_operations_user_roles_action">Change user roles</option>
5.3: Click "Excute"
6. I introduced to Page: "Set parameters for Change user roles", all Roles are shown
7. I select Administrator Role and click Next.
8. Confirm page showed: "Are you sure you want to perform Change user roles on the selected items?". I click "Confirm".
9. Batch Operation run.
10. Users has Administrator Role. I can change or remove any roles of any users.
11. Actions permissions (VBO) (actions_permissions) Enabled read: https://www.drupal.org/node/2109943
12. THIS ERROR still exists! IF select "Execute Modify user roles" of Actions permissions (VBO) for user X
THIS ERROR IS VERY VERY DANGEROUS!

CommentFileSizeAuthor
security-error.png6.99 KBtrong.nguyen.tcec

Comments

trong.nguyen.tcec created an issue. See original summary.

trong.nguyen.tcec’s picture

Status: Active » Closed (duplicate)
trong.nguyen.tcec’s picture

Issue summary: View changes
Status: Closed (duplicate) » Active
shrop’s picture

I have notified the Drupal Security Team of this issue. In the future, please follow this guide to report security issues: https://www.drupal.org/node/101494. Especially when you see this on the project; "Stable releases for this project are covered by the security advisory policy. Look for the shield icon below."

Thanks!

mlhess’s picture

drumm’s picture

Publishing since the Drupal security team determined this is not a security issue which would get an advisory. Any fix would be a security hardening.

Please report potential security issues confidentially in the future.