Bug #55585 SECURITY: ManageUsers.action works for a readonly user
Submitted: 27 Jul 2010 15:08 Modified: 12 Aug 2010 21:59
Reporter: Leandro Morgado Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S2 (Serious)
Version:>= 2.2.1.1721 OS:Any
Assigned to: Josh Sled CPU Architecture:Any

[27 Jul 2010 15:08] Leandro Morgado 
Description:
A read only MEM user is not supposed to see the User Management page, as the Settings->Manage Users tab is hidden for RO users. However, if the user navigates to:

http://servername/ManageUsers.action

He will have access to the page and see a list of users and their associated roles and permissions. On a good note, if the user tried to modify a user entry, he will be denied. 

How to repeat:
1) Create a read only user
2) Login with user
3) Navigate to http://servername/ManageUsers.action
4) See the list of MEM users configured

Suggested fix:
Also prevent read only user from seeing the ManageUsers.action page containing user list.
[5 Aug 2010 20:57] Enterprise Tools JIRA Robot 
Josh Sled writes: 
branches/2.2/ fix:

revno: 8122
revision-id: josh.sled@oracle.com-20100805205113-wosljsadlhbk80rr
parent: torus@torus-pc-20100804102838-k737qelau2xc9bmx
committer: Josh Sled <josh.sled@oracle.com>
branch nick: 2.2
timestamp: Thu 2010-08-05 16:51:13 -0400
message:
  EM-4707: disallow even read-only access to the manage users page unless the user is an admin (same rule as showing the tab)
[12 Aug 2010 18:41] Enterprise Tools JIRA Robot 


Attachment: 10429_EM-4707bld1737.png (image/png, text), 166.87 KiB.
[12 Aug 2010 19:23] Enterprise Tools JIRA Robot 
Josh Sled writes: 
revised commit id after rebase and real push:

revno: 8127
revision-id: josh.sled@oracle.com-20100805205113-ocin3iq52cdgi82y
parent: andy.bang@oracle.com-20100811220050-aw7s5mcpiuuezrkq
committer: Josh Sled <josh.sled@oracle.com>
branch nick: 2.2
timestamp: Thu 2010-08-05 16:51:13 -0400
message:
  EM-4707: disallow even read-only access to the manage users page unless the user is an admin (same rule as showing the tab)
[9 Sep 2010 14:04] MC Brown 
A note has been added to the 2.2.3 changelog: 

        It was possible for a user without the ability to view                                                                           
        the <guilabel>Manage Users</guilabel> page by visiting the                                                                       
        URL, even if the user was not authorized to view the                                                                             
        page. Users without the right redentials are now provided with                                                                   
        a warning that the page is unavailable.