User admin tool

I am using 7.9.5 on windows

I just discovered a security flaw that was not there before the update. When signed in as a developer only , I can escalate access with in the designer.

Step 1. Create a new internal user account with Dev access only
Step 2. Create a test project
Step 3 Drag the user admin console to the window
Step 4 Change the user source to internal
Step 5 find your test user , click the + sign
Step 6 give yourself admin

This has always been possible with the User Management component - that’s why you have to explicitly enable user administration from clients, and shouldn’t allow untrusted users to access the designer. Within a client, there are a variety of methods you can use to prevent this, including:

  1. The user management client permission, which will affect any user management components in the entire project, as well as scripting functions that affect users/roles.
  2. Project security on the user management component itself, or the window containing it, to prevent an unauthorized user from accessing the component in the first place.
  3. If a user needs access to the component, but you want to specifically prevent this, you can implement the onSaveUser (or related) extension functions to reject the save if they’re attempting to give themselves the admin role, or really for any other reason.

I know that it has always been a feature, however it is currently disabled (not selected on the gateway) which is why I’m reported the issue

1 Like