[GUACAMOLE-507] Allow "change own password" for user account allow to modify / delete existing connections - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Cannot Reproduce
Affects Version/s: 1.0.0
Fix Version/s: None
Component/s: guacamole
Labels:
None
Environment:
Ubuntu server 16.04.3, guacamole git version client and server

Description

Testing last guacamole-client AND guacamole-server git version with TOTP extensions ON and mysql database :

Allow "change own password" for user account allow to modify / delete existing connections

I create a standard user "test" by cloning the default admin account "guacadmin". Then i just check box "change own password" nothing more, all other boxes are blank !

Then i connect through Guacamole with that new user "test" and try to change my password then i realized i was able to see Users and Connections tabs and access them !

While on Users tab, i cannot modified my own user profile (access denied) on connections tab i can modified OR delete existings connections ?!

Then i retry with a new user created WITHOUT a clone of "guacadmin" default account, and this time it's seems to work as expected !

Worth to check that and confirm there's a security issue relating to cloning account vs creating new account ?

Thank you !

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Test_changeOwnPassword_usertab_v1.0.0.png
14/Feb/18 10:33
46 kB
emma
Test_changeOwnPassword_v1.0.0.png
14/Feb/18 10:33
17 kB
emma

Activity

People

Assignee:: Unassigned

Reporter:: emma

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Feb/18 10:33

Updated:: 14/Feb/18 19:59

Resolved:: 14/Feb/18 19:59