Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential privilege escalation for apps with authenticate_users permission #1

Open
Artemis21 opened this issue Mar 7, 2021 · 1 comment
Open

Potential privilege escalation for apps with authenticate_users permission #1

Artemis21 opened this issue Mar 7, 2021 · 1 comment
Labels
discussion Not necessarily an issue, needs discussion security Security-related issue.

Comments

@Artemis21
Copy link
Member

An app with the authenticate_users permission can also use the permissions of any user, even if they are greater than the app's own, by authenticating as that user. Is this an issue? Or do we just treat authenticate_users as a "superuser" permission?
@Artemis21 Artemis21 added security Security-related issue. discussion Not necessarily an issue, needs discussion labels Mar 7, 2021
@Artemis21
Copy link
Member Author

Artemis21 commented Mar 8, 2021
edited
Loading

A fix for this, if it needs fixing, could mean associating sessions with the app that created them, which is not necessarily a bad thing. (The alternative would be to have per-scope permissions, which would allow having scopes more limited that of either the app or the user's permissions, which would be good for security, but might also get messy)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion Not necessarily an issue, needs discussion security Security-related issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Artemis21