Prevent Privilege Escalation: Add Assignment Restrictions for Roles and Permissions #24775
+1,878
−133
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nd Permissions #### Problem Description The system has privilege escalation issues: 1. Manager with `AbpIdentity.Users.Update.ManageRoles` permission can add Admin role to themselves or others 2. User with `AbpIdentity.Users.ManagePermissions` or `AbpIdentity.Roles.ManagePermissions` permission can grant others permissions they don't have 3. Users can bypass restrictions by modifying their own user permissions or permissions of roles they belong to #### Solution This PR introduces 3 core security mechanisms: **1. Role Assignability Control (for ManageRoles permission)** - Add `AssignableRoles` configuration to each role, specifying which other roles it can assign - After Manager configures `AssignableRoles: [Sales, Support]`, can only assign these 2 roles, cannot assign Admin **2. Permission Grant Authority Validation (for ManagePermissions permission)** - Check users can only grant permissions they possess - User with permissions 1, 2 can only grant permissions 1, 2 to others, cannot grant permission 3 **3. Self-Modification Protection (for all management permissions)** - Block non-Admin users from modifying their own user permissions (`AbpIdentity.Users.ManagePermissions`) - Block non-Admin users from modifying permissions of roles they belong to (`AbpIdentity.Roles.ManagePermissions`) - Block non-Admin users from adding new roles to themselves (`AbpIdentity.Users.Update.ManageRoles`) - Admin role is exempt from above restrictions #### New Permission Rules **Role Assignment Rules (`AbpIdentity.Users.Update.ManageRoles`):** - Users with this permission can only assign roles configured in their role's `AssignableRoles` - **User's own roles are implicitly included in assignable list** (users with "Manager" role can always assign "Manager" to others, even if not explicitly configured) - If role doesn't configure `AssignableRoles`, no restriction (backward compatible) - Admin role can assign any role **Permission Grant Rules (`AbpIdentity.Users.ManagePermissions` and `AbpIdentity.Roles.ManagePermissions`):** - Users with these permissions can only grant permissions they possess - Admin role can grant any permission **Self-Modification Rules:** - Non-Admin users cannot use `AbpIdentity.Users.ManagePermissions` to modify their own user permissions - Non-Admin users cannot use `AbpIdentity.Roles.ManagePermissions` to modify permissions of roles they belong to - Non-Admin users cannot use `AbpIdentity.Users.Update.ManageRoles` to add new roles to themselves (can only remove) - Admin role can modify their own permissions and roles #### Effect Comparison | Scenario | Before | Now | | --- | --- | --- | | Manager (has ManageRoles) adds Admin role to self | ✅ Success | ❌ Blocked | | Manager (has ManageRoles) assigns Admin role to others | ✅ Success | ❌ Blocked (if not configured in AssignableRoles) | | Manager assigns Manager role to others (not in AssignableRoles) | ✅ Success | ✅ Success (implicit) | | User (has ManagePermissions) grants permissions they don't have | ✅ Success | ❌ Blocked | | Non-Admin user (has Users.ManagePermissions) modifies own permissions | ✅ Success | ❌ Blocked | | Non-Admin user (has Roles.ManagePermissions) modifies own role permissions | ✅ Success | ❌ Blocked | | Admin modifies own permissions | ✅ Success | ✅ Success | | Manager assigns configured roles | ✅ Success | ✅ Success |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolve #24768
Problem Description
The system has privilege escalation issues:
AbpIdentity.Users.Update.ManageRolespermission can add Admin role to themselves or othersAbpIdentity.Users.ManagePermissionsorAbpIdentity.Roles.ManagePermissionspermission can grant others permissions they don't haveSolution
This PR introduces 3 core security mechanisms:
1. Role Assignability Control (for ManageRoles permission)
AssignableRolesconfiguration to each role, specifying which other roles it can assignAssignableRoles: [Sales, Support], can only assign these 2 roles, cannot assign Admin2. Permission Grant Authority Validation (for ManagePermissions permission)
3. Self-Modification Protection (for all management permissions)
AbpIdentity.Users.ManagePermissions)AbpIdentity.Roles.ManagePermissions)AbpIdentity.Users.Update.ManageRoles)New Permission Rules
Role Assignment Rules (
AbpIdentity.Users.Update.ManageRoles):AssignableRolesAssignableRoles, no restriction (backward compatible)Permission Grant Rules (
AbpIdentity.Users.ManagePermissionsandAbpIdentity.Roles.ManagePermissions):Self-Modification Rules:
AbpIdentity.Users.ManagePermissionsto modify their own user permissionsAbpIdentity.Roles.ManagePermissionsto modify permissions of roles they belong toAbpIdentity.Users.Update.ManageRolesto add new roles to themselves (can only remove)Effect Comparison
UI