Secuirty bug when Use Related Site Mode

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
6/26/2010 1:37:56 PM
khaled
Gravatar
Total Posts 8
View Posts

Security bug when Use Related Site Mode

•What operating system?

Windows 7

•What database platform?

SQL Server 2005
•What version of mojoPortal?

2.3.4.4
•Steps to produce the problem

Configure MojoPortal to use Multiple site in Folder Mode, Create Subsite, Make sure these settings in your .config as the following :

<add key="UseFoldersInsteadOfHostnamesForMultipleSites" value="true"/>
<add key="UseRelatedSiteMode" value="true"/>
<add key="RelatedSiteID" value="1"/>
<add key="RelatedSiteModeHideRoleManagerInChildSites" value="true"/>
 

expected results :

admins of child site can't manage roles .

actual results :

if you request the child site Role Manager page will still can do everything like you in main site.

http://localhost/childsitename/Admin/RoleManager.aspx

6/28/2010 6:20:40 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Secuirty bug when Use Related Site Mode

Hi,

I will investigate this, but please understand one important thing. Hiding the Role manager in child sites using related sites mode is not a security feature, it is only cosmetic.

The important thing to understand is that in related sites mode all sites use the same users and roles, so if you add someone to the Administrators role the they are an administrator in all sites not just the child site, so they can go to the root site and manage roles even if it is hidden in the child sites.

When using related sites mode there is a new setting shown in site settings for child sites for Site Editor Roles. The enabled roles there can manage any content in the child site but cannot manage roles regardless of whether the hiding is enabled. So typically you will add child site "admins" to the site editor roles not the Administrators role.

Best,

Joe

6/28/2010 8:21:45 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Secuirty bug when Use Related Site Mode

Hi,

I looked into this and it was correctly hiding the Role Manager link from the admin menu but it does not redirect to access denied if the user is an admin.

I can easily add logic to redirect to access denied but since the page is already limited to admins and role admins I'm not sure this is really needed.

As I said roles are shared across sites and a member of admins role is not site specific in related sites mode, a member of Admins role is an admin in all sites in related sites mode and can go to the root site and manage roles. It seems it would only be an annoyance to redirect an admin to access denied and force him to use the root site to manage roles if he manually entered the url. The idea of that setting was to hide the menu link for role manager so that there is no confusion, showing the link may make you think roles are different in each site when they are not under related sites mode.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.