Error updating email of user

mmoral · 2024-05-22 14:01:28

Good Morning,

Some users have a profile with the next checks selected in administration --> Users: READ UPDATE CREATE DELETE PURGE
The users can update all fiels, but fail with the field email.

In Administration --> Logs
Appear a entry that the user modify a item of Users with the correct user ID, but in really the action failed and the email have not updated.
But in the log it appears as if it was done correctly.

Regards

cconard96 · 2024-05-22 14:37:22

Emails can only be changed by the user themselves or changed a user with more permissions than them.

mmoral · 2024-05-22 14:46:46

Hello,

More permissions than: READ UPDATE CREATE DELETE PURGE ?

So, why does it appear in the log that the action was done correctly?, if the user does not have permissions

Regards

Last edited by mmoral (2024-05-22 14:46:57)

cconard96 · 2024-05-22 14:54:21

No. The comparison takes into account all permissions available in every profile for both users.
A user's email is directly related to authentication, so it shouldn't be able to be modified by just anyone with the UPDATE right for users as it would lead to privilege escalation.
Imagine if an Admin with the ability to update users (to adjust title, comments, etc) could change a Super-Admin user's email address and then have a forgotten password notification sent to one of their own emails.

The update is counted as a success because the email fields are just transparently removed from the changes if the permission check fails rather than blocking the entire update.

mmoral · 2024-05-22 15:06:38

Thanks for the explain!!

Forum GLPI-Project

Announcement

#1 2024-05-22 14:01:28

Error updating email of user

#2 2024-05-22 14:37:22

Re: Error updating email of user

#3 2024-05-22 14:46:46

Re: Error updating email of user

#4 2024-05-22 14:54:21

Re: Error updating email of user

#5 2024-05-22 15:06:38

Re: Error updating email of user

Board footer