View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 5079 | Composr | core | public | 2022-11-26 21:56 | 2022-11-28 17:26 |
| Reporter | PDStig | Assigned To | Chris Graham | ||
| Priority | normal | Severity | feature | ||
| Status | resolved | Resolution | fixed | ||
| Summary | 5079: Add additional admin session security / confirmation for sensitive member actions | ||||
| Description | There are a few actions for which I believe should have enhanced security (due to laws governing GDPR, privacy, and data breaches) / require a confirmed admin session regardless of the admin zone settings, namely actions that could either modify or leak potentially sensitive information about members: * Editing a member's username, password, e-mail, phone number, or credit card information * Deleting a member * Deleting lurkers * Merging a member (which involves deleting a member) * Exporting members (especially since potentially sensitive information including hashed passwords are / can be included in the export) * Running the Purge or Download action on privacy * Any / all screens which display a member's IP address or other identifiable information | ||||
| Tags | Roadmap: v11, Type: Security | ||||
| Attach Tags | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Patrick and I have discussed, and this basically is happening already in the sense sessions must be confirmed to use the Admin Zone or to edit/delete members. I am going to clean up that code a bit though as it's not formalised enough IMO. However, through discussion with Patrick some more specific ideas came up, so I'll post these as new issues. |
|
|
The more I thought about this, the more I realised it is a thorny issue to do anything radical and yet there were some tweaks we could do that got us to a similar place, effectively. Problems: 1) It would be slavish to forcibly give member detail lookup more security than say, the zone editor, or anything that could cause massive havoc to totally destroy a site. 2) ... so we'd need proper configurability. But trying to implement a way of manually configuring different kind of session confirmation timeouts for different areas would be like creating an entirely new parallel privileges system, a massive effort. 3) It's a lot easier said than done forcing re-login. What if login is automatic via LDAP? What if it is through oAuth? What if login is 2FA (looking ahead here), do we force a full 2FA step to do stuff? Does that become configurable? So instead, I think it's best to just bolster the existing system of forcing confirmed sessions and applying reasonable privileges. I made these main changes: 1) Forced "view_any_profile_field" for member export (i.e. on top of normal Admin Zone access) 2) Forced "member_maintenance" for member import (FYI "assume_any_member" was already needed for importing usergroup changes) 3) Adjusted the Setup Wizard's high security profile to timeout sessions in 20 mins, and medium to 1 hour (which is the default pre-Setup Wizard anyway); this reduces the core issue of an admin confirming a session and then leaving their desk long enough for a sneak to mess with their machine 4) Only put password in exported spreadsheet if "assume_any_member" privilege 5) Fix session confirmation requirement for member account editing/deleting (was broken!) 6) Prevent AJAX scripts (etc) from bumping session timeout; we don't want an admin's machine to be left on and the notification poller (for example) to keep the session alive forever 7) Changed viewing member e-mail addresses to use the view_any_profile_field privilege not the member_maintenance privilege (for consistency) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-11-26 21:56 | PDStig | New Issue | |
| 2022-11-26 21:57 | PDStig | Description Updated | |
| 2022-11-26 21:57 | PDStig | Description Updated | |
| 2022-11-26 21:58 | PDStig | Description Updated | |
| 2022-11-28 01:58 | Chris Graham | Tag Attached: Roadmap: v11 | |
| 2022-11-28 01:58 | Chris Graham | Tag Attached: Type: Security | |
| 2022-11-28 01:58 | Chris Graham | Project | Composr alpha bug reports => Composr |
| 2022-11-28 01:58 | Chris Graham | Category | General => core |
| 2022-11-28 15:05 | Chris Graham | Assigned To | => Chris Graham |
| 2022-11-28 15:05 | Chris Graham | Status | Not Assigned => Closed |
| 2022-11-28 15:05 | Chris Graham | Resolution | open => no change required |
| 2022-11-28 15:05 | Chris Graham | Note Added: 0007751 | |
| 2022-11-28 17:26 | Chris Graham | Status | Closed => Resolved |
| 2022-11-28 17:26 | Chris Graham | Resolution | no change required => fixed |
| 2022-11-28 17:26 | Chris Graham | Note Added: 0007752 |
