-
Bug
-
Resolution: Fixed
-
Low
-
None
-
None
-
None
-
2
-
Severity 3 - Minor
-
6
-
Description
When the user has multiple directories in Crowd Application and disables the add group permission for the top directory in the Crowd Application, the group are still created in the top directory when admin add the user from top directory to a group from lower position directory.
Steps to reproduce
- Add 2 directories in Crowd.
Directory 1
_user 1
user 2
basegroup1_
group2
Directory 2
_basegroup2
group3_ - Create a JIRA application in Crowd
- In JIRA application (In Crowd), go to the Permission tab
- Disable the Add Group permission and enable the modify group permission for Directory 1 and Directory 2
- Connect Crowd to JIRA and configure it as read/write
- Perform synchronization
- In JIRA, try to add the user2 from Directory 1 to group3 from Directory 2
- The user is successfully added to group3 in JIRA and a new group name group3 is created in the Directory 1
For details, please review the following video
Recording #47.mp4
Expected behavior
The group3 is not created in Directory 1
Actual Behavior
group3 is created in Directory 1
Hi,
Can you explain to me why the severity is set to minor?
What happened with our setup is that somebody was able to grant himself Crowd Administrator rights although he/she did not even belong to the dedicated Crowd User directory. This happend through the user management of Jira.
So all of a sudden this person has access to Crowd and could have done some serious damage there.
For me this is not minor, but SEVERE! And it should be treated as such and get the proper attention asap.
I am not even sure people are aware of this bug, because it is not that visible, but it is a serious flaw that could have serious repercussions when a lot of applications are connected to Crowd.
Please adjust accordingly and schedule for a fix asap.
Thanks,
Itahi.