[#672] Cron to warn about site admins about weird permissions



Detailed description

I got a few cases of weird RBACs today, with users granting project_admin or scm=write privileges to Anonymous or LoggedIn roles. This didn't seem intentional.

It would be nice to have a cron'd script to warn the site admins when permissions are too open.

Other cases: - I got users members of Anonymous or LoggedIn roles but that can be considered a bug in old FF versions - I also got in the past people who mistakenly dropped their own admin privileges, this could be checked too.

General Information
Submitted by:
Sylvain Beucler
Date Submitted: 2014-05-13 16:18
Last Modified by: Nobody
Last Modified: 2017-11-02 20:00
Permalink: https://fusionforge.org/tracker/a_follow.php/672
Internal Fields
Data Type: Feature requests
Assigned to: Nobody (None)
State: Open
Priority: 1
Extra Fields
Target release:
Follow-up tabs
Message  ↓
Date: 2014-05-13 16:21
Sender: Sylvain Beucler

To get groups granting "open" permissions on Anonymous or LoggedIn:

SELECT groups.groupid, unixgroupname FROM roleprojectrefs JOIN groups ON (roleprojectrefs.groupid=groups.groupid) JOIN pforolesetting ON (roleprojectrefs.roleid=pforolesetting.roleid AND (pforolesetting.refid=groups.groupid) AND ((sectionname='projectadmin' AND permval=1) OR (sectionname='scm' AND permval=2))) WHERE roleprojectrefs.role_id IN (1,2);

No attached documents

No related commits.

Field Old Value Date By
priority32018-04-22 08:59
Franck Villaume

No relations found.