[opencms-dev] Confirming sub Organizational Unit users/groups permissions bug

[Michael Moossen]

Hi all!

 > This user can also edit admin user and use the "switch user"
 > functionality in order to become the admin user and get access to all
 > areas or CMS.
problem solved and just committed to the HEAD.

Kind regards,
Michael

-------------------

Alkacon Software GmbH  - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

Visit us on CeBIT expo in Hannover, Germany
March 4 to March 9, 2008 - Hall 5 Stand F59/3


Fabian Huschka wrote:
> Hello Micheal,
> 
> 
> Michael Moossen schrieb:
>> Hi Oli!
>>
>> No, this are not the same.
>>
>> your 'problem' has 2 parts:
>>  > This user can then see the parent unit and edit all those users.
>> No, this should not be the case, and i can not reproduce it.
>>
>>  > This user can also edit admin user and use the "switch user"
>>  > functionality in order to become the admin user and get access to all
>>  > areas or CMS.
>> this works as designed or better said we have not really think about 
>> this. it is not decided yet if we will do something about this in 7.0.4.
>>   
> We are very concerned with this "feature" as it enables the user to lock 
> out the admin by simply changing its password. In certain shared hosting 
> environments this is a nightmare.
>> Kind regards,
>> Michael
>>
>> -------------------
>>
>> Alkacon Software GmbH - The OpenCms Experts
>> Michael Moossen
>> An der Wachsfabrik 13
>> 50996 Koeln, DE
>>
>> Besuchen Sie uns auf der CeBIT 2008
>> Halle 5, Stand F59/3
>>
>> Tel: +49 (0)2236 3826-0
>> Fax: +49 (0)2236 3826-20
>> Email: m.moossen at alkacon.com
>>
>> http://www.alkacon.com
>> http://www.opencms.org
>>
>>
>>   
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev