Possible security issue with Magento roles

Blog

Possible security issue with Magento roles

Written by Gui.do X Jansen,
April 2010
Written by a human, not by AI

One of the wonderful things about Magento is it's advanced ACL (Access Control Level): you can offer colleagues or external parties with access to small parts of your Magento backend. For example: you can create a user role with general access to all orders or very specific access to only orders on hold. You can provide access to only Reviews and Ratings, or combine that with access to certain Reports, CMS pages and promotional features. In total, you have 196 (Enterprise) or 156 (Community edition) functions you can either enable or disable for a certain role. You can than appoint users to a role and voila: Magento ACL.

The issue

Two of those 196 (or 156) functions give users access to the Roles and Users permission system, which basically means that these users can create and edit roles and users. Today I found out these users can manage ANY role and can assign it to ANY user. Starting to feel the problem here...? A user with very limited access but with at least access to manage permissions can give himself access to the complete website. And it doesn't stop here. This user is also able to change the role of all other administrators (with more or all rights) or even set them to inactive. I have no idea about how many shops have users with limited access including access to roles and users, but I can think of situations this might apply to certain roles within a company. And although this is not a bug in the code, in my opinion this definitely qualifies as an unwanted 'feature'. I've searched for the issue in the Magento bugtracker but it seems it hasn't been reported yet so I created this ticket for the issue.

What you should do

If you're the only user in your shop: nothing. If you have multiple backend users with different permissions you might want to check the permissions for the Roles and User section and change them accordingly, or at least be aware of how Magento functions with these permissions.

What Magento could do

I think it would be best to restrict a users ability to create or edit roles to be restricted to the permissions that the role itself has. You shouldnt be able to create a role with more rights than your own role. You also shouldn't be able to disallow permissions on other roles for features you don't have access to in the first place. Users should be able to create roles and add users with permissions that (at best) matches their own. And they should definitely not have the permission to deactivate or remove administrators with all/ more permissions. I hope this helps you in preventing a hostile takeover from other users... Well, I don't seriously think it will go that fast, since I don't think you will give just anyone access to your Magento backend. But if you have a large company with multiple backend users from different departments and maybe third-parties that are able to login, this is definitely something to check and be aware of until this is fixed.

More like this? Follow me on LinkedIn!

Most of my content is published on LinkedIn, so make sure to follow me there!

Follow me on

Recent posts

Often Confused Commerce Terms
 Often Confused Commerce Terms

Recently I've seen some (often absolute) statements going around, generally in the line of "open source commerce platforms are a terrible idea". Now of course different solutions always have different pros and cons.

Optimization hierarchy of evidence
Optimization hierarchy of evidence

A hierarchy of evidence (or levels of evidence) is a heuristic used to rank the relative strength of results obtained from scientific research. I've created a version of this chart/pyramid applied to CRO which you can see below. It contains the options we have as optimizers and tools and methods we often use to gather data.