[keycloak-user] KEYCLOAK-1735 - possible to recategorise it as an urgent bug not enhancement?

David Illsley davidillsley at gmail.com
Tue Oct 13 14:15:17 EDT 2015

Hi all,
KEYCLOAK-1735 describes that users with the 'manage-users' can role can
self-assign 'manage-realm', and gain substantial extra privileges.

This behaviour came as a substantial surprise to me when I discovered it,
and I suspect there are users out there who have vulnerabilities due to
this unexpected behaviour.

KEYCLOAK-1735 is currently marked as an enhancement, and while I can see
that it might be substantial work to change this behaviour, I think it
should be a priority to make the behaviour clear to users - probably
through documentation, and possibly through renaming the role so that its
expansive powers are clear.

Is this a possibility? What's the best way to get this to happen?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/f90db96b/attachment.html 

More information about the keycloak-user mailing list