[BUG] `lldap_password_manager` role does not see other users in the web UI
jrbarronumd opened this issue · 5 comments
Describe the bug
The lldap_password_manager role does not have permissions to manage any passwords
To Reproduce
Steps to reproduce the behavior:
- Create user with
lldap_password_managerrole - Log in to LLDAP as that user
- User permissions only allow viewing of that single account
Expected behavior
I would expect the lldap_password_manager role to be able to manage passwords of its own account and others.
Logs
2024-03-20T01:17:11.939297603+00:00 INFO LDAP session [ 74.0ms | 0.10% / 100.00% ]
2024-03-20T01:17:12.056962837+00:00 INFO ┕━ LDAP request [ 126µs | 0.05% / 0.17% ]
2024-03-20T01:17:12.056967597+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 3, op: ExtendedRequest(LdapExtendedRequest { name: "1.3.6.1.4.1.4203.1.11.1", value: Some("vec![...]") }), ctrl: [] }
2024-03-20T01:17:12.056973567+00:00 DEBUG ┝━ get_user_groups [ 86.7µs | 0.12% ] user_id: "admin_user"
2024-03-20T01:17:12.057128688+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(5), display_name: GroupName("admins"), creation_date: 2024-03-18T20:45:10.271245499, uuid: Uuid("bunch of characters"), attributes: [] }, GroupDetails { group_id: GroupId(1), display_name: GroupName("lldap_admin"), creation_date: 2024-03-18T19:02:27.073584197, uuid: Uuid("bunch of characters"), attributes: [] }, GroupDetails { group_id: GroupId(4), display_name: GroupName("family"), creation_date: 2024-03-18T20:42:17.073042073, uuid: Uuid("bunch of characters"), attributes: [] }}
2024-03-20T01:17:12.057134948+00:00 DEBUG ┕━ 🐛 [debug]: | response: ExtendedResponse(LdapExtendedResponse { result: LdapResult { code: InsufficentAccessRights, matcheddn: "", message: "User `authelia_bind_user` cannot modify the password of user `admin_user`", referral: [] }, name: None, value: "vec![...]" })
Additional context
I hope I'm not missing something here, but I know that's very possible. Is the role in question configurable and I've not set it up right?
From the logs, it seems you're trying to modify the password of an admin account. Only admins can modify the password of admins, otherwise you would get a privilege escalation from password manager to admin.
Try with a regular user.
Yeah, that was it. I was able to use Authelia's service to change a password for a non admin account. So the web UI does not allow users with that role to do anything, it's just for API access?
Thanks for the quick response. Sorry for the wasted time. I knew it would be something stupid on my end...
From the web UI, with that role you should be able to see all users (i.e. all the a read-only account can do), change your own details (that's the case for every user) and set non-admins' passwords (including other password manager accounts)
Ok, that's what I expected. When I log in as my Authelia bind user I can only see that account. I can edit email and display name, but the password field is not there. There are no navigation links to go to other pages in the UI, but I did just realize that if I manually type in the my.domain/users url, I can see the other users and edit names and emails. By default, when logging in, or clicking the LLDAP in the top left, it goes to my.domain/user/[active_user] as shown in the image below.
I don't necessarily care about the UI for this use case, since it will only ever need API access. And it seems that the API access performs as expected in my limited testing.
Oh, it might be a frontend outdated check that only checks if the user is admin or not. More generally, we don't really check the different permission levels and what they should see very well.