Improve robustness of admin role checks #32

New issue

Open

opened 2024-01-21 04:32:14 +01:00 by MoralCode · 0 comments

MoralCode commented 2024-01-21 04:32:14 +01:00

Owner

Copy link

Currently whether the user is an admin is determined by the string name of their role. This is reasonably secure since these are created in Auth0 by the super admin, so it would be very hard for an attacker to somehow mess with that, however, this should Ideally not be done this way because it is certifiably jank ™️.

a better way may be to have the super admin provide the Role ID values from auth0 as an environment variable to be used for comparisons. i.e. there could be env vars such as CLASSCLOCK_SUPERADMIN_ROLE_ID and CLASSCLOCK_SCHOOL_ADMIN_ROLE_ID. This would allow for future UI's to be created for the superadmin to be able to assign admins to schools on their instance and may be required for an open source release

Currently whether the user is an admin is determined by the string name of their role. This is reasonably secure since these are created in Auth0 by the super admin, so it would be very hard for an attacker to somehow mess with that, however, this should Ideally not be done this way because it is certifiably jank :tm:. a better way may be to have the super admin provide the `Role ID` values from auth0 as an environment variable to be used for comparisons. i.e. there could be env vars such as `CLASSCLOCK_SUPERADMIN_ROLE_ID` and `CLASSCLOCK_SCHOOL_ADMIN_ROLE_ID`. This would allow for future UI's to be created for the superadmin to be able to assign admins to schools on their instance and may be required for an open source release

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

python-upgrade

dependabot/pip/setuptools-70.0.0

dependabot/pip/zipp-3.19.1

dependabot/pip/certifi-2024.7.4

dependabot/pip/urllib3-1.26.19

dependabot/pip/requests-2.32.0

dependabot/pip/jinja2-3.1.4

dependabot/pip/werkzeug-3.0.3

dependabot/pip/idna-3.7

dependabot/pip/pygments-2.15.0

dependabot/pip/markdown-it-py-2.2.0

pre-migration-db-creation

docker-deploy

dev

sqlite

sqlalchemy

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

bug

Something isn't working

  

dependencies

Pull requests that update a dependency file

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

High Priority

  

invalid

This doesn't seem right

  

question

Further information is requested

  

reproduction needed

  

schema-fix-required

  

wontfix

This will not be worked on

No labels

bug

dependencies

documentation

duplicate

enhancement

good first issue

help wanted

High Priority

invalid

question

reproduction needed

schema-fix-required

wontfix

Milestone

Clear milestone

No items

No milestone

General Usability

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ClassClock/API#32

No description provided.