Possible security issue with Magento roles

Written by Guido Jansen in
April 2010

One of the wonderful things about Magento is it's advanced ACL (Access Control Level): you can offer colleagues or external parties with access to small parts of your Magento backend. For example: you can create a user role with general access to all orders or very specific access to only orders on hold. You can provide access to only Reviews and Ratings, or combine that with access to certain Reports, CMS pages and promotional features. In total, you have 196 (Enterprise) or 156 (Community edition) functions you can either enable or disable for a certain role. You can than appoint users to a role and voila: Magento ACL.

The issue

Two of those 196 (or 156) functions give users access to the Roles and Users permission system, which basically means that these users can create and edit roles and users. Today I found out these users can manage ANY role and can assign it to ANY user. Starting to feel the problem here...? A user with very limited access but with at least access to manage permissions can give himself access to the complete website. And it doesn't stop here. This user is also able to change the role of all other administrators (with more or all rights) or even set them to inactive. I have no idea about how many shops have users with limited access including access to roles and users, but I can think of situations this might apply to certain roles within a company. And although this is not a bug in the code, in my opinion this definitely qualifies as an unwanted 'feature'. I've searched for the issue in the Magento bugtracker but it seems it hasn't been reported yet so I created this ticket for the issue.

What you should do

If you're the only user in your shop: nothing. If you have multiple backend users with different permissions you might want to check the permissions for the Roles and User section and change them accordingly, or at least be aware of how Magento functions with these permissions.

What Magento could do

I think it would be best to restrict a users ability to create or edit roles to be restricted to the permissions that the role itself has. You shouldnt be able to create a role with more rights than your own role. You also shouldn't be able to disallow permissions on other roles for features you don't have access to in the first place. Users should be able to create roles and add users with permissions that (at best) matches their own. And they should definitely not have the permission to deactivate or remove administrators with all/ more permissions. I hope this helps you in preventing a hostile takeover from other users... Well, I don't seriously think it will go that fast, since I don't think you will give just anyone access to your Magento backend. But if you have a large company with multiple backend users from different departments and maybe third-parties that are able to login, this is definitely something to check and be aware of until this is fixed.

Recent posts
Recording: Creating An Optimization Culture
Recording: Creating An Optimization Culture

At Meet Magento UK last July I shared my ideas on how to create an optimization culture at you company, today the organisation released the video recording of my session so here you go!

Magento Association Mission Statement & Culture Statement
Magento Association Mission Statement & Culture Statement

The last couple of weeks the Magento Association Task Force has been working on the Mission and Culture statement for the new Magento Association. Today at Magento Live Europe in Barcelona, Mark Lavelle - Senior Vice President of Magento - announced this on stage.