Security Issue With Gallery

Topics: Business Logic Layer
Sep 21, 2015 at 3:35 PM
Hi, this is probably a low risk with regards to permissions being ineffective.

I'm working on a project where the administrators need cut-down privileges, from the inception of their blog, so they can only view roles, and not be able to manage roles & packages.

This appears to be fine until an admin user goes to the dashboard, under "Latest From The Gallery" clicks a package there - they are then taken to the packages area where they may view the package they just clicked.

All that is then required is to remove the search term to be able to manage all packages - or you may navigate to the /admin/index.cshtml#/custom/packages URL.

I'm currently looking in to giving editors more permissions and disabling the admin account, but seem to have another problem where an editor who can create users, can assign admin roles to their new user - kind of defeats the purpose of what I'm trying.
Sep 21, 2015 at 3:39 PM
P.S. I've tried using URL Rewrite to throw a 403 but not getting any luck - it seems that client side javascript is involved too much with /admin/index.cshtml# string