[opencms-dev] User Role for Newsletter Module

Wed Apr 30 14:06:28 CEST 2008

Hello,

we are using the Newsletter Module 1.0.0 in an OpenCms 7.0.3 installation 
on a WAS 6.1 Express

It's described in the manual of the newsletter module, that the "Account 
manager" role is required to sent newsletters.

My question is: How can I prevent a "newsletter manager" from changing 
i.e. the password of the "Admin" account (what would mean that this user 
could lock me, the admin, out of the system)? It seems that an Account 
Manager is able to manage all users below _and_ above his current OU! 

So, even if I create an Admin account in an OU parallel to the OU used by 
this user, he could create an account in the root unit and disable my 
account with this new account.

Was this behaviour described above intended? Is there a way of restricting 
the access of the Account Manager? If not, it seems to me that this is a 
possible security risk.

Best regards

Christian Hellinger

PS: I also found, that I can't add roles to users in the newsletter ou 
directly, btw.

--------------------------------------

DREGER INFORMATION TECHNOLOGY

J&J DREGER Consulting GmbH & Co. KG
Carl-Benz-Str. 35
D - 60386 Frankfurt am Main, Germany

Phone :    +49-69-90479-0
Fax   :    +49-69-90479-479

Email :    christian.hellinger at dreger.de
WWW   :    http://www.dreger.de

--------------------------------------

Consulting & Solutions: http://www.d-business.de
Mobile Solutions Competence Center: http://www.d-business.de/mscc

Business Development: http://www.1j1.com
--------------------------------------
Sitz / Registergericht: Frankfurt am Main / Amtsgericht Frankfurt am Main
Registernummer: HRA 42705
Geschaeftsfuehrer: Jens Dreger, Joerg Dreger
USt.ID: DE244892265
--------------------------------------
Komplementaer-GmbH: J&J DREGER Verwaltungs GmbH, Carl-Benz-Str. 35, 60386 Frankfurt am Main
Sitz / Registergericht: Frankfurt am Main / Amtsgericht Frankfurt am Main
Registernummer: HRB 73891
Geschaeftsfuehrer: Jens Dreger, Joerg Dreger
--------------------------------------
Diese E-Mail inklusive aller Anhaenge koennte vertrauliche und/oder rechtlich geschuetzte Informationen 
enthalten. Wenn Sie nicht der beabsichtigte Adressat sind, der diese E-Mail irrtuemlich erhalten hat, 
informieren Sie bitte sofort den Absender und vernichten Sie alle Kopien dieser E-Mail von Ihrem System. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.

This e-mail and any attachment (both hereinafter called as e-mail)  may contain confidential and/or privileged 
information. If you are not the intended recipient or have received this e-mail in error please notify the sender 
immediately and destroy all copies of this e-mail from your system. Any unauthorised copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.