Dangerous group promotion option in IP.Commerce

Cyboman · July 17, 2017

I just detected, that the "group promotion options" in any IP.Commerce product offers group promotions to the "Administrator" or "Moderator" group.

This shouldn't be.

For my IP.Commerce shop, I appoint third party shop managers (with ACP access) to add new products to the shop. That's the only permission they get via the ACP.

But it's a very high security risk, as they are able to configure any new product (f.e. promote to admin group, for 1 USD), and then, after buying it for 1 USD, they will be promoted to the "administrators" group with full access to the community. I found no way how to prevent or restrict this.

Admin groups should be excluded from the group promotion settings in Commerce products. In any way.

The only product I can think of where this option is useful, is if you want to sell your community...

Tom S. · July 17, 2017

That does seem like a big flaw.

Wolf · July 18, 2017

I agree that this is a security flaw and should be rectified.

Cyboman · July 18, 2017

Thanks, I already thought I'm alone with that problem

Just as an enhancement to the problem solution described above:
The more I think about it, I would suggest, that group promotions in IP.Commerce should get an individual administrator permission setting.

-> "Can create products with group promotions?"

Means: It should be a separate dominant administrator permission, if group promotions can be added as a product at all by a special admin group.

Good-Admin · July 18, 2017

Should you not promote them to admin but rather to a completely different user group of your own making? For example, a shop user group

Cyboman · July 18, 2017

7 hours ago, Good-Admin said:

Should you not promote them to admin but rather to a completely different user group of your own making? For example, a shop user group

Probably a misunderstanding.

I have a shop user group (where I manually promote selected trustworthy members to). This shop user group has restricted admin privileges to be able to only add new products.

But the problem is, that this restricted shop user group can create any new products to be automatically promoted to the admin user group with maximum permissions on the community. They could use this high security flaw workaround because you can't restrict the product creators to not being able to promote to the admin role in a product creation.

This way, any shop user group member could promote himself or any other person to a full administrator role by simply buying his own admin group promotion product.

Adriano Faria · July 18, 2017

17 hours ago, Cyboman said:

I just detected, that the "group promotion options" in any IP.Commerce product offers group promotions to the "Administrator" or "Moderator" group.

This shouldn't be.

You mean this?

New product -> Store & Purchase Settings tab -> Purchase Benefits ?

Cyboman · July 18, 2017

yes

Adriano Faria · July 18, 2017

2 minutes ago, Cyboman said:

yes

I can post a quick file edit to not list STAFF groups there, if you want...

Adriano Faria · July 18, 2017

Open applications\nexus\sources\Package\Package.php and find:

		$form->add( new \IPS\Helpers\Form\Select( 'p_primary_group', $this->primary_group ?: '*', FALSE, array( 'options' => $groups, 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_primary' ), 'unlimitedToggleOn' => FALSE ) ) );

Change to:

		$form->add( new \IPS\Helpers\Form\Select( 'p_primary_group', $this->primary_group ?: '*', FALSE, array( 'options' => \IPS\Member\Group::groups( FALSE, FALSE ), 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_primary' ), 'unlimitedToggleOn' => FALSE ) ) );

Find:

		$form->add( new \IPS\Helpers\Form\Select( 'p_secondary_group', $this->secondary_group ? explode( ',', $this->secondary_group ) : '*', FALSE, array( 'options' => $groups, 'multiple' => TRUE, 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_secondary' ), 'unlimitedToggleOn' => FALSE ) ) );

Change to:

		$form->add( new \IPS\Helpers\Form\Select( 'p_secondary_group', $this->secondary_group ? explode( ',', $this->secondary_group ) : '*', FALSE, array( 'options' => \IPS\Member\Group::groups( FALSE, FALSE ), 'multiple' => TRUE, 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_secondary' ), 'unlimitedToggleOn' => FALSE ) ) );

Results:

Cyboman · July 18, 2017

That would be perfect but not dramatically urgent as I just reduced the shop user group members to only very few members for now.

So currently I could wait a while until IPS fixes this issue (hopefully).

Maybe other IPS users need a patch more urgently...

But as described above, the fix is not only to remove the STAFF groups (yes, that's most important), but also to completely restrict group promotions (all groups or selectable groups, primary and secondary). There are a lot other groups where the shop user group (with ACP access) shouldn't be granted access to.

Thanks!

Adriano Faria · July 18, 2017

Just now, Cyboman said:

That would be perfect but not dramatically urgent as I just reduced the shop user group members to only very few members for now.

Just posted above.

TDBF · July 18, 2017

14 hours ago, Cyboman said:

Thanks, I already thought I'm alone with that problem

Just as an enhancement to the problem solution described above:
The more I think about it, I would suggest, that group promotions in IP.Commerce should get an individual administrator permission setting.

-> "Can create products with group promotions?"

Means: It should be a separate dominant administrator permission, if group promotions can be added as a product at all by a special admin group.

Just like to state that you are not the only one this has happened too. Another application which allows promote to groups automatically promoted to Administrator as a default, I had about 5 members promoted to Admins and I was lucky that one of my members contacted me straight away to let me know. I dread to think what could have happened otherwise.

I personally don't envisage any circumstance where one of my members would automatically promoted to a moderation or administration group. Either these groups should be removed from the list or a toggle to turn off promotion to admin or mod groups should be added to the form.

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

Dangerous group promotion option in IP.Commerce

Recommended Posts

Cyboman

Tom S.

Wolf

Cyboman

Good-Admin

Cyboman

Adriano Faria

Cyboman

Adriano Faria

Adriano Faria

Cyboman

Adriano Faria

TDBF

Archived

Recently Browsing 0 members

More