Comment 1 Eclipse Genie 2015-04-02 09:57:52 EDT

New Gerrit change created: https://git.eclipse.org/r/45139

Comment 2 Maximilian Koegel 2015-04-08 09:38:57 EDT

AdminEMFStore.addInitialParticipant is a method that is available to remote EMFStore clients, e.g. via XMLRPC to add roles to a user. It was introduced to be able to assign the ProjectAdmin role to a user that has just created a project.
Calls to the methods are not sufficiently restricted to prevent escalating the privileges of authenticated users. In the worst case malicious clients can escalate their privileges of a user to server admin, which will provide full access to all projects on the server. Please note that a user still needs to provide valid credentials in this case and the malicious client needs to either directly access the server via XMLRPC or it needs to use internal API in the EMFStore client code. 

The proposed fix will reject calls in three additional cases:
1. Reject calls to the method if the respective flag for assigning project admin rights to newly shared projects by default is turned OFF.
2. Reject calls to the method that try to add server admin roles to the current user
3. Reject calls to the method adding any role to a project which was not created with the same session ID as the current call.

Comment 3 Eclipse Genie 2015-04-10 04:06:18 EDT

Gerrit change https://git.eclipse.org/r/45139 was merged to [maintenance_1.4].
Commit: http://git.eclipse.org/c/emf-store/org.eclipse.emf.emfstore.core.git/commit/?id=5de1ad68387491c38fdf220f057163e9618567c9

Comment 4 Eclipse Genie 2015-04-15 04:29:30 EDT

New Gerrit change created: https://git.eclipse.org/r/45848

Comment 5 Eclipse Genie 2015-04-15 10:15:58 EDT

Gerrit change https://git.eclipse.org/r/45848 was merged to [maintenance_1.4].
Commit: http://git.eclipse.org/c/emf-store/org.eclipse.emf.emfstore.core.git/commit/?id=27f5c554622563baf178b4c7b4a0ae2ae49cdb09