| शीर्षक | eladmin 2.7 Improper Access Controls |
|---|
| विवरण | In eladmin v2.7, the POST /api/users endpoint binds the HTTP request body directly to the JPA User entity via @RequestBody Userresources. While the endpoint is protected by @PreAuthorize("@el.check('user:add')") and enforces a role-level hierarchy check(checkLevel()), neither guard inspects the isAdmin field, a Boolean property on the User entity that operates as a privilege flag entirely independent of the role-based access control system.When isAdmin is set to true, the RoleServiceImpl.buildPermissions() method short-circuits all role-based permission resolution and returns a single hard-coded "admin" authority. The central authorization gate AuthorityConfig.check() then evaluateselPermissions.contains("admin") as true, bypassing every @PreAuthorize annotation across the entire application. This effectively grants the newly created user unrestricted super-administrator access, regardless of the roles actually assigned to that account.
Any authenticated user holding the user:add permission can create an account that possesses full super-administrator privileges, bypassing all role hierarchy restrictions. This constitutes a vertical privilege escalation from a delegated administrative role to unrestricted system-wide access. The created account's elevated privileges persist across sessions and survive role reassignment, as isAdmin is evaluated independently of role membership. Furthermore, because the "admin" authority short-circuits all permission checks, this backdoor account cannot be constrained by any future role or menu configuration changes. |
|---|
| स्रोत | ⚠️ https://github.com/elunez/eladmin/issues/897 |
|---|
| उपयोगकर्ता | AliceS614 (UID 94277) |
|---|
| सबमिशन | 21/04/2026 08:59 AM (2 महीनों पहले) |
|---|
| संयम | 07/05/2026 07:22 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 361917 [eladmin तक 2.7 Users API Endpoint UserController.java checkLevel अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|