Hello,
You have specified here
https://doc.cuba-platform.com/manual-6.7/roles.html
that
If a user has a single role without explicitly set permissions, or does not have any roles at all, he will have all rights to all objects.
What happens if a Standard (role) User add a new User (blankUser), without any role?
blankUser will have access to create a new user with Super Role and become an Administrator.
How can this be avoided?
According to the document and my experiment, the new user you create will have all rights to all objects.
yes, that’s what I said.
How to keep the “standard” role then?
Hi,
As far as I know, in CUBA currently there is no prevention for a non-administrator User to create a new user with more permissions than he/she has, e.g. with administrative permissions.
Therefore if you want to be secure, in CUBA you should give the access to Create or Edit new Users only to administrators, never to limited users.
Probably a workaround is possible, not tested personally.
You can make “Administrator” Role invisible to normal users by creating a row-level constraint (create access group, add constraint, use this access group for all users).
So that these users will not be able to assign Administrator role to anyone.
Create “Default denying” role with type DENYING and mark it as default.
When done so, it will be automatically considered as assigned to all users, even if they don’t have any user roles associated.
Then the only unlimited users are those who are explicitly assigned the Administrator role.
Understood. Maybe you have to think to modify this rule because a standard user should add only a standard user not a super user.