zentralopensource / zentral / 26761988008

88%

push

github

Prevent role escalation in user/service-account forms (#1493)

A non-superuser editing another user's groups can now only add groups
they themselves belong to — the escalation-prevention pattern from K8s
RBAC and AWS permission boundaries. Implemented as
RoleMembershipGrantMixin shared by UpdateUserForm and
ServiceAccountForm: rejects added groups in clean() and renders them
as disabled options in the multi-select. Removals are unrestricted by
design — escalation risk is granting, not revoking.

Also relabels the auto-generated M2M field as "Roles" to match the
rest of the UI, drops the auth-default help text that referenced
permissions, widens the widget, and moves the disabled-options
SelectMultiple to zentral/utils/forms.py for reuse.

Co-authored-by: Sebastian Fuchs <sebastian@zentral.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

67 of 67 new or added lines in 3 files covered. (100.0%)

46329 of 52600 relevant lines covered (88.08%)

0.88 hits per line