Possible security issue with Magento roles

Written by Guido Jansen in
April 2010

One of the wonderful things about Magento is it's advanced ACL (Access Control Level): you can offer colleagues or external parties with access to small parts of your Magento backend. For example: you can create a user role with general access to all orders or very specific access to only orders on hold. You can provide access to only Reviews and Ratings, or combine that with access to certain Reports, CMS pages and promotional features. In total, you have 196 (Enterprise) or 156 (Community edition) functions you can either enable or disable for a certain role. You can than appoint users to a role and voila: Magento ACL.

The issue

Two of those 196 (or 156) functions give users access to the Roles and Users permission system, which basically means that these users can create and edit roles and users. Today I found out these users can manage ANY role and can assign it to ANY user. Starting to feel the problem here...? A user with very limited access but with at least access to manage permissions can give himself access to the complete website. And it doesn't stop here. This user is also able to change the role of all other administrators (with more or all rights) or even set them to inactive. I have no idea about how many shops have users with limited access including access to roles and users, but I can think of situations this might apply to certain roles within a company. And although this is not a bug in the code, in my opinion this definitely qualifies as an unwanted 'feature'. I've searched for the issue in the Magento bugtracker but it seems it hasn't been reported yet so I created this ticket for the issue.

What you should do

If you're the only user in your shop: nothing. If you have multiple backend users with different permissions you might want to check the permissions for the Roles and User section and change them accordingly, or at least be aware of how Magento functions with these permissions.

What Magento could do

I think it would be best to restrict a users ability to create or edit roles to be restricted to the permissions that the role itself has. You shouldnt be able to create a role with more rights than your own role. You also shouldn't be able to disallow permissions on other roles for features you don't have access to in the first place. Users should be able to create roles and add users with permissions that (at best) matches their own. And they should definitely not have the permission to deactivate or remove administrators with all/ more permissions. I hope this helps you in preventing a hostile takeover from other users... Well, I don't seriously think it will go that fast, since I don't think you will give just anyone access to your Magento backend. But if you have a large company with multiple backend users from different departments and maybe third-parties that are able to login, this is definitely something to check and be aware of until this is fixed.

Recent posts
Optimization hierarchy of evidence
Optimization hierarchy of evidence

A hierarchy of evidence (or levels of evidence) is a heuristic used to rank the relative strength of results obtained from scientific research. I've created a version of this chart/pyramid applied to CRO which you can see below. It contains the options we have as optimizers and tools and methods we often use to gather data.

[EN] Datascience can do what?
[EN] Datascience can do what?

This is a bonus episode with Emily Robinson (Senior Data Scientist at Warby Parker) en Lukas Vermeer (Director of Experimentation at Booking.com). In her earlier session that day, Emily said that real progress starts when you put your work online for others to see and comment on which in this case was about Github. Someone from the audience wondered how that works out in larger companies where a manager or even a legal department might not be overly joyous about that to say the least so I asked Emily about her thoughts on that. Recorded live with audience pre-covid-19 at the Conversion Hotel conference in november 2019 on the island of Texel in The Netherlands. (oorspronkelijk gepubliceerd op https://www.cro.cafe/)