CMS Builder User Account Problem
4 posts by 2 authors in: Forums > CMS Builder
Last Post: February 19, 2010 (RSS)
Hello CMS Builder Team, I have noticed a problem with the user account setup that I believe should be brought to your attention and addressed as a matter of urgency. In version 1.36 and earlier, a non admin user who is created without access to sections of a site can actually create a new user account and assign that account user access to areas of the said site where they (the account creator) would have been denied access as a non admin user. This poses a serious threat to access of private areas and can compromise the security of the site. If there's something that I have missed, please enlighten me so I can fix this issue with a few sites that I have created with the CMS Builder.
Re: [beckstar] CMS Builder User Account Problem
By Dave - February 15, 2010
Hi beckstar,
The way it is currently designed any user with access to the "User Accounts" can grant access to any section (to other users or themselves).
The only exception to this is that non-admin users can't grant themselves or others access to the admin menu, and they can't view or modify admin user accounts.
How would you like it to work? Would you like it so non-admin users can only see or grant access to sections that they already have access to?
We could add that. We'd have to make it so if they edited a user account that already had access to a section that they didn't that they could only see or modify the sections for that user that they themselves had access to.
It get's a little complicated. Let me know how you'd like it to work and we'll see what we can do.
Hope that helps!
The way it is currently designed any user with access to the "User Accounts" can grant access to any section (to other users or themselves).
The only exception to this is that non-admin users can't grant themselves or others access to the admin menu, and they can't view or modify admin user accounts.
How would you like it to work? Would you like it so non-admin users can only see or grant access to sections that they already have access to?
We could add that. We'd have to make it so if they edited a user account that already had access to a section that they didn't that they could only see or modify the sections for that user that they themselves had access to.
It get's a little complicated. Let me know how you'd like it to work and we'll see what we can do.
Hope that helps!
Dave Edis - Senior Developer
interactivetools.com
interactivetools.com
Re: [Dave] CMS Builder User Account Problem
Hi Dave, thanks for the response. I know that the user access settings may be complicated, but it would make logical sense. I would love to see that fixed in the CMS.
Re: [beckstar] CMS Builder User Account Problem
By Dave - February 19, 2010
Hi beckstar,
We're in the final release cycle for v2.03. I'll put that on the list for v2.04. Thanks for the suggestion!
We're in the final release cycle for v2.03. I'll put that on the list for v2.04. Thanks for the suggestion!
Dave Edis - Senior Developer
interactivetools.com
interactivetools.com