Sharepoint Security issue in _layouts/user.aspx

views:

916

answers:

Sharepoint Security issue in _layouts/user.aspx

Considering the following scenario : - create a SharePoint site collection - create a new security permission level "Test", with "Manage permissions" checked. - create a new Group, with "Contribute", and "Test" checked for its permissions.

Now, if a member of this group goes to "_layouts/user.aspx", he can modify his group permissions, and check "Full Control". Now he is site admin.

Is there a way to prevent this behaviour ?

You can use a SPSecurityTrimmedControl to prevent displaying the group list to anyone but Administrators, but as it is a page located in _layouts, it can be overwritten by a service pack, so I think it is not best practice.

mathieu 2008-09-19 12:17:02

+1 A:

I assume you mean "Manage Permissions"? So as far as I can tell, there is no permission for "Let people manage the permissions of others but not be able to give anyone higher permission than they have"... "Manage Permissions" is effectively "Full Control".

SPSecurityTrimmedControl won't really help because it just changes what the user can see, not what they can do. They could still use webservices or the API to manage permissions.

spdevsolutions 2008-09-19 20:40:37

Yes but it's for very end users that aren't likely to use webservices/api :) Still an issue for me, that a group can "raise" its permissions on a site/web

mathieu 2008-09-20 19:04:08

It is true that you can hide actions from naive users easily in Sharepoint with SPSecurityTrimmedControl, but take care because you are still leaving a security hole that may not be easily noticed by site maintainers.

barryd 2008-09-21 18:13:11

ansaurus

tags:

views:

answers:

Sharepoint Security issue in _layouts/user.aspx

related questions