Developer forum

Forum » Dynamicweb 9.0 Upgrade issues » User Permissions Issue/Potential Security Risk (9.10.4)

User Permissions Issue/Potential Security Risk (9.10.4)

E-mail notifications
Nancy Morano Dynamicweb Employee
Nancy Morano
Reply
Posted on 25/03/2021 17:06:26

Hello,

We have been doing some testing on User Permissions on a 9.10.4 site (https://sandbox.biolegend.com/) and have discovered that a login that has both frontend and backend access may be creating a potential security issue.  Therefore, we wanted to bring this to your attention.

The issue is as follows:  *this is also walked through in the attached recording

(1) The login has frontend access.

(2) The login has also been set to "Allow backend login" and has been set to DEFAULT permissions (under Options).  The group that the login belongs to has no set permissions (no rights to the backend)

(3) However, when we log in to the backend, we are seeing everything!

So, somehow it looks like it is using the authenticated frontend permissions and they are leaking over to the backend and the login is seeing way more than they should.

Please note that we cannot repro this with consistency.  Sometimes it gives the correct blank screen, however, other times (as shown in the attached recording) we have full access to everything.

Thanks.


Replies

 
Nicolai Pedersen
Posted on 25/03/2021 17:28:05
Reply

Hi Nancy

That user is member of 3 groups, one of them being the group "prt"

See this:

The PRT group has lots of permissions:

So - maybe that user should not be member of that group.

When permissions are marked as "not set" does not mean the user cannot have access. That just means that a particular group does not have explicit permissions set, meaning it will fallback to another permission set.

So say you have a user that is member of 2 groups - one group has "not set" and the other group has "read" the result for that user will be 'read'. 
Consider the same 2 groups and the permission is 'read' on one of them and 'none' on the other, the result for that user will be 'none'.

 

So consider another situation - a user is only member of 2 groups, and both groups have 'not set' as permissions. The result is 'not set' - what should be inherited then?

Default in DW is "None" permission as fallback - so in this example the result of 2 x not set = none.

You can override that behavior by setting default permission level for at least one of the groups - see below:

Now if both groups have different default permissions, i.e. 'read' and 'full', the result will be 'read'

See more here: https://doc.dynamicweb.com/documentation-9/users/user-management/permissions#7127

Also consider not setting "Allow backend" login for a user that should have no permissions in the backend...

BR Nicolai

 
Nicolai Pedersen
Posted on 25/03/2021 17:31:26
Reply

Also see this section: https://doc.dynamicweb.com/documentation-9/users/user-management/permissions#7128

Authenticated users (backend)

Not set

Backend-users are not explicitly given any rights. This means that by default they see a blank page

Remember, Not set is the lowest permission level and any inherited permission overrides it.
 
Nancy Morano Dynamicweb Employee
Nancy Morano
Posted on 14/04/2021 16:15:52
Reply

Hi Nicolai,

Thank you very much for your response and the informative guidance on User Permissions.  

Unfortunately, the DR_test@biolegend.com user was added to the PRT user group in the (https://sandbox.biolegend.com/) 9.10.4 site after my submitted recording was made.  This has made it a bit more difficult to continue exploring.  We will continue to repro this issue with a different account that is set only to the BioLegend group and report back.

In the meantime, in the first 2 minutes of the attached recording I show the security issue happening on a live site (https://www.biolegend.com/) on 9.8.11 with the DR_test@biolegend.com login.  Can you look into that and perhaps provide us guidance on how to resolve the issue?

Thank you,

Nancy M.

 
Nicolai Pedersen
Posted on 14/04/2021 17:21:59
Reply
This post has been marked as an answer

Hi Nancy

It seems like the new permissions model is not activated:

Have a look at that and see if that will fix the issue.

You should of course not have the permissions button on a group when not activated. That seems to be the only place where it is. Any other thing you can right click on and set permissions does not have the option it seems.

BR Nicolai

Votes for this answer: 1
 
Nancy Morano Dynamicweb Employee
Nancy Morano
Posted on 15/04/2021 16:06:32
Reply

Hi Nicolai,

Thank you very much for your response.  We will investigate implementing the new permissions model on the site with the customer.

Thanks again for your time,

Nancy Morano

 

You must be logged in to post in the forum