Cyboman Posted July 17, 2017 Share Posted July 17, 2017 I just detected, that the "group promotion options" in any IP.Commerce product offers group promotions to the "Administrator" or "Moderator" group. This shouldn't be. For my IP.Commerce shop, I appoint third party shop managers (with ACP access) to add new products to the shop. That's the only permission they get via the ACP. But it's a very high security risk, as they are able to configure any new product (f.e. promote to admin group, for 1 USD), and then, after buying it for 1 USD, they will be promoted to the "administrators" group with full access to the community. I found no way how to prevent or restrict this. Admin groups should be excluded from the group promotion settings in Commerce products. In any way. The only product I can think of where this option is useful, is if you want to sell your community... Link to comment Share on other sites More sharing options...
Tom S. Posted July 17, 2017 Share Posted July 17, 2017 That does seem like a big flaw. Link to comment Share on other sites More sharing options...
Wolf Posted July 18, 2017 Share Posted July 18, 2017 I agree that this is a security flaw and should be rectified. Link to comment Share on other sites More sharing options...
Cyboman Posted July 18, 2017 Author Share Posted July 18, 2017 Thanks, I already thought I'm alone with that problem Just as an enhancement to the problem solution described above: The more I think about it, I would suggest, that group promotions in IP.Commerce should get an individual administrator permission setting. -> "Can create products with group promotions?" Means: It should be a separate dominant administrator permission, if group promotions can be added as a product at all by a special admin group. Link to comment Share on other sites More sharing options...
Good-Admin Posted July 18, 2017 Share Posted July 18, 2017 Should you not promote them to admin but rather to a completely different user group of your own making? For example, a shop user group Link to comment Share on other sites More sharing options...
Cyboman Posted July 18, 2017 Author Share Posted July 18, 2017 7 hours ago, Good-Admin said: Should you not promote them to admin but rather to a completely different user group of your own making? For example, a shop user group Probably a misunderstanding. I have a shop user group (where I manually promote selected trustworthy members to). This shop user group has restricted admin privileges to be able to only add new products. But the problem is, that this restricted shop user group can create any new products to be automatically promoted to the admin user group with maximum permissions on the community. They could use this high security flaw workaround because you can't restrict the product creators to not being able to promote to the admin role in a product creation. This way, any shop user group member could promote himself or any other person to a full administrator role by simply buying his own admin group promotion product. Link to comment Share on other sites More sharing options...
Adriano Faria Posted July 18, 2017 Share Posted July 18, 2017 17 hours ago, Cyboman said: I just detected, that the "group promotion options" in any IP.Commerce product offers group promotions to the "Administrator" or "Moderator" group. This shouldn't be. You mean this? New product -> Store & Purchase Settings tab -> Purchase Benefits ? Link to comment Share on other sites More sharing options...
Cyboman Posted July 18, 2017 Author Share Posted July 18, 2017 yes Link to comment Share on other sites More sharing options...
Adriano Faria Posted July 18, 2017 Share Posted July 18, 2017 2 minutes ago, Cyboman said: yes I can post a quick file edit to not list STAFF groups there, if you want... Link to comment Share on other sites More sharing options...
Adriano Faria Posted July 18, 2017 Share Posted July 18, 2017 Open applications\nexus\sources\Package\Package.php and find: $form->add( new \IPS\Helpers\Form\Select( 'p_primary_group', $this->primary_group ?: '*', FALSE, array( 'options' => $groups, 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_primary' ), 'unlimitedToggleOn' => FALSE ) ) ); Change to: $form->add( new \IPS\Helpers\Form\Select( 'p_primary_group', $this->primary_group ?: '*', FALSE, array( 'options' => \IPS\Member\Group::groups( FALSE, FALSE ), 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_primary' ), 'unlimitedToggleOn' => FALSE ) ) ); Find: $form->add( new \IPS\Helpers\Form\Select( 'p_secondary_group', $this->secondary_group ? explode( ',', $this->secondary_group ) : '*', FALSE, array( 'options' => $groups, 'multiple' => TRUE, 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_secondary' ), 'unlimitedToggleOn' => FALSE ) ) ); Change to: $form->add( new \IPS\Helpers\Form\Select( 'p_secondary_group', $this->secondary_group ? explode( ',', $this->secondary_group ) : '*', FALSE, array( 'options' => \IPS\Member\Group::groups( FALSE, FALSE ), 'multiple' => TRUE, 'unlimited' => '*', 'unlimitedLang' => 'do_not_change', 'unlimitedToggles' => array( 'p_return_secondary' ), 'unlimitedToggleOn' => FALSE ) ) ); Results: Link to comment Share on other sites More sharing options...
Cyboman Posted July 18, 2017 Author Share Posted July 18, 2017 That would be perfect but not dramatically urgent as I just reduced the shop user group members to only very few members for now. So currently I could wait a while until IPS fixes this issue (hopefully). Maybe other IPS users need a patch more urgently... But as described above, the fix is not only to remove the STAFF groups (yes, that's most important), but also to completely restrict group promotions (all groups or selectable groups, primary and secondary). There are a lot other groups where the shop user group (with ACP access) shouldn't be granted access to. Thanks! Link to comment Share on other sites More sharing options...
Adriano Faria Posted July 18, 2017 Share Posted July 18, 2017 Just now, Cyboman said: That would be perfect but not dramatically urgent as I just reduced the shop user group members to only very few members for now. Just posted above. Link to comment Share on other sites More sharing options...
TDBF Posted July 18, 2017 Share Posted July 18, 2017 14 hours ago, Cyboman said: Thanks, I already thought I'm alone with that problem Just as an enhancement to the problem solution described above: The more I think about it, I would suggest, that group promotions in IP.Commerce should get an individual administrator permission setting. -> "Can create products with group promotions?" Means: It should be a separate dominant administrator permission, if group promotions can be added as a product at all by a special admin group. Just like to state that you are not the only one this has happened too. Another application which allows promote to groups automatically promoted to Administrator as a default, I had about 5 members promoted to Admins and I was lucky that one of my members contacted me straight away to let me know. I dread to think what could have happened otherwise. I personally don't envisage any circumstance where one of my members would automatically promoted to a moderation or administration group. Either these groups should be removed from the list or a toggle to turn off promotion to admin or mod groups should be added to the form. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.