Enforcing admin permissions

Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Error

Enforcing admin permissions

Options

Previous Topic Next Topic

Joe Payne2		#1 Posted : Tuesday, July 26, 2022 3:19:30 PM(UTC)
Rank: Advanced Member Groups: HelpDesk, Developers Joined: 11/9/2018(UTC) Posts: 564 Thanks: 122 times Was thanked: 26 time(s) in 25 post(s)		For security reasons I will keep this suggestion vague. PM me if you want to discuss privately. AC9 admin permissions are enforced through a combination of two factors. And only those two factors. Both factors are controlled by an unencrypted file stored on the web server. Should the web server ever get compromised, A simple text edit could grant any admin user full access to the all areas regardless of their current security group assignment. A low-level Catalog Admin could suddenly have permissions to payment gateways, assets folders, html snippets etc. And it did not require a recompile, or even a restart of the app pool. This seems very insecure.


User Profile View All Posts by User View Thanks


	Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S		#2 Posted : Tuesday, July 26, 2022 6:09:51 PM(UTC)
Rank: Advanced Member Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 423 Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)		Thanks for pointing this out. We will discuss the issue.
		Thanks for your support! Katie Secure eCommerce Software and Hosting


User Profile View All Posts by User View Thanks

ray22901031		#3 Posted : Tuesday, July 26, 2022 8:41:02 PM(UTC)
Rank: Advanced Member Groups: Authorized User, Developers Joined: 2/17/2019(UTC) Posts: 827 Thanks: 3 times Was thanked: 13 time(s) in 13 post(s)		Hi Katie, It all used to be under one file before 9.0.4, the move from 9.03 to 9.04 went to 2 text files because of the bug where a user could find their way to the customer profile area without being granted permission. On 9.0.4, one file controls what you see, the menu options, and the other file controls the actions. I have spent hours manipulating these two files to get exactly what I want. Since this is being brought up again, the easiest solution is to encrypt the two text files, but the better solution is to finally enhance the user access to the database level. I know it's a lot of work, but this is the one area of AbleCommerce that still stuck in prehistoric times. Joe's analogy would only work if the user was able to log into AbleCommerce in the first place. Since user logins are stored at the database level. Using a CDN, we can limit who can actually log into the admin pages by restricting IP's. Another feature that would be of great benefit to users. My users can only log in at work, but if they had the skills to manipulate the IIS server, then it could become a reality. How nice it would be if, within the groups, you could tweak access to the system using checkboxes. You're also missing a group that deals directly with customers. An "order admin" is useless without having the ability to create new customers, using version 9.03 we were able to bypass this limitation by taking advantage of a bug in the header. This was fixed in 9.0.4. Hope some of this helps, -Ray


User Profile View All Posts by User View Thanks

Katie S		#4 Posted : Wednesday, July 27, 2022 12:07:30 PM(UTC)
Rank: Advanced Member Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 423 Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)		Thanks for making some good points Ray and thank you again for bringing this to our attention Joe. We have discussed this in the past and again today. An alternate solution was brought up to decorate controller/action methods with authorize attributes with appropriate parameters. This is a huge change where we need to decorate 80% to 90% of action methods and then have to test for each admin group. This could be done, but probably for a future release. We need to consider that any time a server is compromised, there are bigger issues at hand. If a user can breach a server, then there are several security vulnerabilities, and we can't stop all of them. Quote: An "order admin" is useless without having the ability to create new customers I opened an issue in Jira for this, ref. AC9-2023.
		Thanks for your support! Katie Secure eCommerce Software and Hosting


User Profile View All Posts by User View Thanks

Users browsing this topic
Guest

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Privacy Policy | Powered by YAF.NET 2.2.4.14 | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.150 seconds.

Important Information: The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies. More Details Close