2.1.3
Orchard Core 2.1.3¶
Release Date: December 12, 2024
This release includes critical security fixes that grant unintentionally full access to certain users.
Changelog¶
Important Security Notice: Role Assignment Issue After Upgrade¶
If you have recently upgraded from a previous version of Orchard Core to version 2.1.0, 2.0.1, or 2.0.2, please be aware of a potential security issue that may impact your system. Specifically, if a role is assigned with no permissions, any user assigned to that role will automatically be granted the Administrator role after the upgrade, potentially giving them full access to your site.
Example Scenario:¶
Let's say your app includes a role named Director, which has no permissions assigned. If a user like Mike is assigned to this role, after the upgrade, Mike will automatically be granted the Administrator role, giving them full control over your site. This could pose a significant security risk if not addressed promptly.
Mitigation Steps:¶
To ensure your site's security, we strongly recommend that you review the users who currently have the Administrator role. If you find users who should not have administrative privileges, you should remove the Administrator role from their account immediately.
How to Check Users Assigned to the Administrator Role:¶
- Identify the Administrator Role:
-
Go to the
/Admin/Roles/Index
page on your site. Check if the Administrator role has a System badge. -
If the Administrator role has the System badge, proceed with the following steps:
- Go to the
/Admin/Users/Index?q=role:Administrator
page. - Review the list of users assigned the Administrator role.
- For any users who should not have Administrator privileges, click Edit on their account and remove the role.
- Go to the
-
If the Administrator role does not have the System badge, follow these steps:
- Look for the role with the System badge. This role is typically named SiteOwner or something similar (e.g., SiteOwner1, SiteOwner2, etc.).
- Once identified, replace
Site__Owner_RoleName_Goes_Here
with the correct role name and visit the/Admin/Users/Index?q=role:{Site__Owner_RoleName_Goes_Here}
page on your site. - Review the list of users with the site owner role.
- For any users who should not have site owner privileges, click Edit on their account and remove the role.
Final Reminder:¶
We recommend that you take immediate action to verify user roles and ensure that only authorized users have administrative or site owner access. Failing to do so could expose your application to significant security risks.