You are not logged in.
Pages: 1
I know that a profile with the users w and profiles r can assign to a user a profile lower or equal to the profile used.
This is obvious and is used to avoid a privilege escalation attack.
My question is: how does GLPI order the profiles? Which profile is lower and can be assigned by the current user and which is higher and will not be displayed in the profiles drop-down in the "Add a empowerment to a user" menu?
Should a "superior" profile have all the rights of the inferior, plus user=w and profiles=r?
I'm trying to delegate this and I get inconsistent results. For instance I have the built-in admin that can not assign a profile that has no administrative privileges.
Last edited by geoalbi (2013-07-03 16:03:08)
Offline
I know that a profile with the users w and profiles r can assign to a user a profile lower or equal to the profile used.
This is obvious and is used to avoid a privilege escalation attack.My question is: how does GLPI order the profiles? Which profile is lower and can be assigned by the current user and which is higher and will not be displayed in the profiles drop-down in the "Add a empowerment to a user" menu?
Should a "superior" profile have all the rights of the inferior, plus user=w and profiles=r?
I'm trying to delegate this and I get inconsistent results. For instance I have the built-in admin that can not assign a profile that has no administrative privileges.
The question for the developers stands, as we need to understand this behavior better.
But in the meantime I tested and validated my hypothesis: a "superior" profile should have all the rights of the inferior, plus user=w and profiles=r.
The "inferior" profile had "Create a ticket" right that was missing from the "superior". Added that to the later and had been able to see the intended "inferior" profile in the "Add a empowerment to a user" Profile drop-down.
Last edited by geoalbi (2013-07-03 16:57:02)
Offline
Pages: 1