Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

createExperimenterWithPassword SecurityViolation Cannot change the password of a more privileged user #567

Open
will-moore opened this issue Jul 11, 2024 · 1 comment
Open

createExperimenterWithPassword SecurityViolation Cannot change the password of a more privileged user #567

will-moore opened this issue Jul 11, 2024 · 1 comment

Comments

@will-moore
Copy link
Member

https://www.openmicroscopy.org/qa2/qa/feedback/41761/

Traceback (most recent call last):

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/decorators.py", line 538, in wrapped
retval = f(request, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/decorators.py", line 597, in wrapper
context = f(request, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/webadmin/views.py", line 526, in manage_experimenter
conn.createExperimenter(

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/webclient/webclient_gateway.py", line 1129, in createExperimenter
exp = admin_serv.createExperimenterWithPassword(

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omero/gateway/__init__.py", line 4859, in __call__
return self.handle_exception(e, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omeroweb/webclient/webclient_gateway.py", line 2123, in handle_exception
super(OmeroWebSafeCallWrapper, self).handle_exception(e, *args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omero/gateway/__init__.py", line 4856, in __call__
return self.f(*args, **kwargs)

File "/opt/omero/web/venv3/lib64/python3.9/site-packages/omero_api_IAdmin_ice.py", line 1866, in createExperimenterWithPassword
return _M_omero.api.IAdmin._op_createExperimenterWithPassword.invoke(self, ((user, password, defaultGroup, groups), _ctx))

omero.SecurityViolation: exception ::omero::SecurityViolation
{
serverStackTrace = ome.conditions.SecurityViolation: Cannot change the password of a more privileged user.
at ome.logic.AdminImpl.changeUserPassword(AdminImpl.java:1274)
at ome.logic.AdminImpl.createExperimenterWithPassword(AdminImpl.java:722)
@sbesson
Copy link
Member

sbesson commented Jul 12, 2024

I suspect the easiest workflow to reproduce this type of security violation would be to:
1- create a light administrator with permissions to create other users
2- log in to OMERO.web using this light administrator
3- try to create a full administrator using the OMERO.web admin UI i.e. create a new user and add it to the system group

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@will-moore @sbesson