ACL system allows admin users to add themselves to roles of greater seniority (2.50)

The current ACL system does not prevent a user with Admin privileges from adding themselves to roles which have a seniority greater than their own.

By viewing the "Customer Roles" tab of a customer account in the administration area it is possible for any admin user to assign additional roles to their account, thus granting them all of the features enabled for those roles.

This oversight completely invalidates the ACL system.

And it is not possible to hide "Customer Roles" without hide all Customer management.

aladino wrote:
Right. Now you can simply disable "Manage customers" permission if it's acceptable for you.

Each permission should be extended to "View/Add/Edit/Delete" in order to fix it. For example, "Manage customers" will become "View customer details/Add new customers/Edit customers/Delete customers". The same will be done for customer roles, etc.  But it seems to be too complex.
P.S. The work item is already created. But I don't know a good and simple way to fix it

Ok. I think possible solutions.

I need to maintain customer management and hide Customer Roles. This is possible only by code, correct?

Thanks!

A small improvement is to add permissions to manage "Customer Roles" in ACL.

Example:
The administrators can:
1. Manage Customers
2. Manage Customer Roles

The ecommerce administrators (new role!) can:
1. Manage Customers
2. NOT Manage Customer Roles

Right, this is the best implementation

Luigi

Another idea:
Assign a level to roles. Example:
1. Administrators
2. e-commerce administrators
3. Forum Moderators
4. guest
5. registered

users with level n cannot assign roles with level x<n. Ex: user foo with level 2 cannot update users assign them level 1

aladino wrote:
Thanks for suggestion. But it also seems to be a bit complex. Maybe the easiest solution will be adding a new "Manage customer roles" permission (to manage customer roles in admin area > customers > customer roles) and something like "Manage customer roles for certain customers" permission (to manage customer roles in admin area > customer details page > customer roles).

a.m. wrote:

How about have the option be an extension of the ACL permission "Admin Area. manage customer roles"

So, on the Customers > Customers page remove the "Customer roles" checkboxes from the initial page and add it to a tabbed page within the Customers > Customers page and call the tab, "Assigned Roles" (or whatever).  Then, when the administrator unchecks the ACL permission above, two things happen:

1) The Customers > Customer Roles menu option is unaccessible (which is already the current behavior).
2) The tabbed "Assigned Roles" page under Customers > Customers disappears or displays "You do not have permission..." (depending on whether you have the "Hide admin menu items based on permissions" option checked or not).

This way you don't actually have to tweak any permissions, you just have to hide or unhide the "Assigned Roles" tab.  

On other tabbed pages within the nopCommerce Admin panel, the URL doesn't change when you go to the different tabbed pages, so it wouldn't be that easy to circumvent permissions by trying to go to the url directly, etc.

This is an amendment to my previous post...

Regarding number 2, if you go in to Edit a customer, there is already a Customer Roles tab there... So, just make that tab disappear when the "Admin Area. Manage Customer Roles" ACL permission is unchecked.  Then in the Customers > Customers page simpy get rid of the search by Customer roles option (or maybe make it only visible if they have that aformentioned ACL permission).

for a 2 min solution add the following to admin customers controller in create/edit actions within the add roles loop:

                    //Don't allow non admins to add users to admin group
                    if (customerRole.Name == "Administrators" && !_workContext.CurrentCustomer.IsAdmin())
                        throw new SecurityException("You do not have permission to add customers to the administrator role");