Skip to content

Commit

Permalink
UIU-2563 users manipulating psets need permission to do so (#2099)
Browse files Browse the repository at this point in the history 
Prior to `permissions` `5.5`, having `perms.users.items.put`, `...post`,
or `...delete` was a security vulnerability because it allowed any user
with the ability to assign permissions to assign permissions they did
not already have, e.g. for a user with `A` and `B` to grant `C` to
somebody else. That _is_ a useful feature, but the two should not be
coupled (assign own permissions; assign non-owned permissions).

Here, that same logic is applied to creation of permission sets: users
with the ability to create permission sets need the ability to create
sets with permissions they may not own.

Refs UIU-2563
  • Loading branch information
@zburke @mkuklis
zburke authored and mkuklis committed Apr 12, 2022
1 parent 4e36861 commit 69e2b80
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,8 @@
"perms.permissions.item.put",
"perms.permissions.item.post",
"perms.permissions.item.delete",
"settings.users.enabled"
"settings.users.enabled",
"perms.users.assign.mutable"
],
"visible": true
},
Expand Down

0 comments on commit 69e2b80

Please sign in to comment.