[keycloak-user] KEYCLOAK-1735 - possible to recategorise it as an urgent bug not enhancement?
David Illsley
davidillsley at gmail.com
Tue Oct 13 14:15:17 EDT 2015
Hi all,
KEYCLOAK-1735 describes that users with the 'manage-users' can role can
self-assign 'manage-realm', and gain substantial extra privileges.
This behaviour came as a substantial surprise to me when I discovered it,
and I suspect there are users out there who have vulnerabilities due to
this unexpected behaviour.
KEYCLOAK-1735 is currently marked as an enhancement, and while I can see
that it might be substantial work to change this behaviour, I think it
should be a priority to make the behaviour clear to users - probably
through documentation, and possibly through renaming the role so that its
expansive powers are clear.
Is this a possibility? What's the best way to get this to happen?
Thanks,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/f90db96b/attachment.html
More information about the keycloak-user
mailing list