Separating out Site Owner's permission

Topics: Administration, General
Apr 5, 2011 at 9:44 PM
Edited Apr 5, 2011 at 9:44 PM

Hi,

I'm looking at an interesting security-related problem.

Current there is a single permission, "Site Owners Permission", that is the only permission controlling whether or not someone can manage users.

The problem is, if I grant Site Owners Permission to any user, they immediately gain all other permissions as well.

I want to be able to give Moderator role the ability to manage other user accounts; but not have them able to install any modules or enable any features, which could be potentially site-breaking as there might be incompatible modules, unsupported styles, etc.

I started looking at whether a module could achieve this, but it seems not. In the AdminController(s) of Orchard.Users and Orchard.Roles, every single action looks like this:

 

        public ActionResult Index(UserIndexOptions options, PagerParameters pagerParameters) {
            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to list users")))
                return new HttpUnauthorizedResult();

            //...

        }

So all I could do in an IAuthorizationEventHandler or any other extensibility point is check for the SiteOwner permission being requested ... the best I could do to figure out what permission was being requested for would to be to start manually checking controllers and actions, which doesn't seem like an awesome way to do things ... An SiteOwner permission  is hardcoded to be a "grant all" switch in any case.

What I'm proposing is an additional "Manage Users" permission. This would let a user into all the user management screens, the only user they couldn't change or remove in any way would be anyone with Site Owner permission themselves. They also wouldn't be able to make anyone a site owner.

The other areas exclusively controlled by Site Owner permission are: Reports, Settings, Updating Themes, Installing or Updating Modules, Warmup Admin, and most of the designer tools / multi tenancy. None of these I'd particularly question although perhaps there should be some ability for Editors to add additional Warmup URLs.

So if a "Manage Users" permission sounds reasonable, should I raise a workitem? I'm happy to write a patch for this myself if it's something that's wanted.

Coordinator
Apr 5, 2011 at 9:52 PM

We have consciously removed any permission the granting of which would lead to potential elevation of priviledge to effectively being site owner. If you an assign roles or permissions, you can promote yourself to site owner. Hence, that permission was removed.

Apr 5, 2011 at 10:34 PM

Yes - which is why I specified "the only user they couldn't change or remove in any way would be anyone with Site Owner permission themselves. They also wouldn't be able to make anyone a site owner". Those two statements eliminate any potential elevation of privileges.

Even better than that (as just occurred to me), you could dynamically generate a new Permission per Role: "Can grant or revoke {x} role". So you can fine-tune which Roles have the ability to promote others to Moderator, Editor, etc.

I realise why certain decisions have been made but in this case I don't think it's too hard a problem to solve. And not being able to create "account manager" users seems a fairly big limitation - in my case, it's a feature I absolutely need for a site I'm setting up, which is why I offered to contribute an implementation.

Coordinator
Apr 5, 2011 at 10:36 PM

Oh, absolutely, I'm not saying it can't be done. Knock yourself out :)

Apr 5, 2011 at 10:43 PM

How about ...

Define a new role "Site manager"

Create a widget that borrows heavily from code and views in Orchard.Users to display a list of users.  In that widget allow only the specific roles you want to be set on the users being managed.

Create a layer that's only visible to users with that role and display your widget there.

Now the site owner can make a user a Site manager and they can then set other allowed roles on the rest of the user population.

Apr 6, 2011 at 12:24 AM

bertrand: I'll give it a go :) got to have it working by next week in any case ...

hightechrider: Yeah, there are tons of ways I could work around it by basically replicating half of Users and Roles ... but that creates a lot of redundant code that would need to be maintained and updated to keep up with any core changes and improvements in those areas. And there's really no reason to a create a separate UI when I can do it more easily in core, and maintain those changes in my private branch (into which I'm regularly merging the latest bits in any case).

Apr 6, 2011 at 12:34 AM

It's not actually that much code << half those two modules. 

  • Adding a couple of roles requires no changes to any core code.
  • The code to add or remove roles from users is trivial.
  • A role based rule is already out there
  • So all you need is a bit of UI and you can copy most of that from the existing module.

I've created a module that does something similar except in my case MS-CRM is used to manage users and roles so there's no UI at all!

Apr 6, 2011 at 12:54 AM

Yes I see your point ... but those modules aren't that small so even under half the code is still not so easy to maintain, plus building a new widget ... versus find / replace the permissions checks in a couple of controllers and implementing some fairly trivial validation in the roles service. Actually you're slightly underestimating my requirements, it's not just roles management I'm after, I want my user (and this is a specific website with a feature that necessitates this) to be able to remove or at least deactivate user accounts, add new users, reset passwords, pull up email addresses, i.e. the entire user management UI. Not something that can really fit neatly in a sidebar widget :)

Nice that you found an easy UI-less solution, but replicating the UI would be the main issue I have.

Mar 24, 2012 at 11:29 PM

hey randompete, I know this is a fairly old post - but did you ever develop this further?  I'm certainly interested in such, your sentence:
"I want to be able to give Moderator role the ability to manage other user accounts; but not have them able to install any modules or enable any features, which could be potentially site-breaking as there might be incompatible modules, unsupported styles, etc." ...I imagine mirrors many user's sentiments; definitely mine for instance:

http://orchard.codeplex.com/discussions/349739

Cheers pg

Mar 24, 2012 at 11:43 PM

just to give my 2 cents, it would be great if user manage security like this was easier and w/o code out of the box, if nothing else it would improve adoption.  One issue that is particularly frustration is I can give an author ownership of the blog w/o making them admin or moderator but they can't edit posts they create or edit the blog template or ad or edit widgets out of the box.  When we have virtually not time to do customization this makes it problematic to use orchard as a cms for some projects.

Jul 31, 2012 at 11:02 PM
Edited Aug 1, 2012 at 3:46 PM

Randompete, just wondering if you ever created this module.  A discussion about this very topic came up today and I was surprised to find out that it's not possible, out of the box, to manage permissions for "User Management" outside of the Site Owner.

UPDATE: I see you started another thread at...
http://orchard.codeplex.com/discussions/253592

Thanks,
Brian