Permissions: Small security problem

Hello, my dears,
me again.

I just noticed an important issue. When configuring the permissions, I came to the decision in consultation with the team that we want to enable agents to create accounts. No registration function is desired.

Our situation:
I have divided the admin again in our rights system. There is a soft and a hard admin.
The hard admin has full rights without restrictions and the soft admin can create or delete everything except access the “Settings” item.

Shockingly, I’ve found that creating an account with higher privileges than the creator’s privileges is just so doable.

As an example: An agent can create both hard admins and soft admins.

In my opinion, this is a major security problem, which is why it is not possible to activate this function.
With the registration function switched off, I would like to relieve the admins and enable the agents to create new users. And by that I mean pure users, without further rights.

Possible solution?:
Is it possible to implement it in such a way that you build in a control that checks which role the user has and then allows the next smaller role to be created?

Or that you can set directly which is the maximum creator role? So it would also be dynamically implementable regardless of the existing roles…

Thank you for the great work. I’m very enthusiastic about trudesk and finally found what I was looking for forever. I can’t thank you enough!

Greetings Luukullus

Looking into this concern…

1 Like