Security issue in the client

In this topic on SDN forum, we came to the conslusion that every use who can access the User Manager, also canmake himself and any other user Administrator.
This problems is caused by the User Editor where all fields, the user contains, are readen and displayed. This allows you add additional fields which are aditable, really quickly(you can do in the file ‘Security Templates.xml’ located in /Website/sitecore/shell).

But the problem is, the Administrator checkbox is also a field… As this is a quite heavy exploit for some users, I’ve decided to create a patch. Ofcourse this isn’t an official patch, but it works at least.

So how did I solve it? Well… first of all I’ve located the XAML file:
/sitecore/shell/applications/security/Edit user/Edit user.xml
Inside this file, I found the following CodeBeside tag:
<CodeBeside Type=”Sitecore.Shell.Applications.Security.EditUser.EditUserForm,Sitecore.Client”/>
At that moment I edpho that I would be able to override a single method, to change the behaviour of the control. So I opened the EditUserForm using the cool 5.0 version of Lutz Roedder Reflector. And looked at the  following Disassembled code in the OnLoad method:

After running trough this code I decided it would be way to much work te rewrite it. I should have to rewrite anything which is a lot of work as copying disassembled code is not done as it onle results in not readible code => bugs.
The resolution for this problem was quite easy. First I want to do the original method do it’s work and later on, in an overriden method, I just had to disable the Checkbox when the user isn’t an Administrator. This resulted in the following code:

    1 using Sitecore;

    2 using SCU = Sitecore.Shell.Applications.Security.EditUser;

    3 using MSUI = System.Web.UI;

    4 using Sitecore.Web.UI.HtmlControls;

    5 

    6 namespace Sitecore.ShellExtensions.Applications.Security.EditUser

    7 {

    8     class EditUserForm : SCU.EditUserForm

    9     {

   10         private static bool EnableAdminToggle

   11         {

   12             get { return Context.User.IsAdministrator; }

   13         }

   14         protected override void OnLoad(System.EventArgs e)

   15         {

   16             base.OnLoad(e);

   17             if(!Context.ClientPage.IsEvent && !EnableAdminToggle)

   18             {

   19                 MSUI.Control adminControl = Fields.FindControl(“Administrator”);

   20                 Checkbox checkbox = adminControl as Checkbox;

   21                 if (checkbox != null)

   22                 {

   23                     checkbox.Disabled = true;

   24                 }

   25             }

   26         }

   27     }

   28 }

 As you can see, because of the duplicate classes in the used namespaces, I had to make ‘m unique. This is done using aliases(using [alias] = [namespace]).
So now the code is written, I’ve to add it to the control. Actually, I don’t want to edit the control at all as in the following version of Sitecore it can be way changed. So I’ve decided to copy the XAML file to the override-folder of Sitecore which is located in /sitecore/shell/override/. After copying, I change the CodeBeside tag so it reffers my newly created class:
<CodeBeside Type=”Sitecore.ShellExtensions.Applications.Security.EditUser.EditUserForm,Sitecore.ShellExtensions”/>

Afterwards, I’ve created a package and released version 0.1 of my Extensions, but wile writing, I realised the New User wizard has the same problem. Therefor, I’ve created the following overriding code:

    1 using SCU = Sitecore.Shell.Applications.Security.CreateNewUser;

    2 using MSUI = System.Web.UI;

    3 

    4 namespace Sitecore.ShellExtensions.Applications.Security.CreateNewUser

    5 {

    6     class CreateNewUserForm  : SCU.CreateNewUserForm

    7     {

    8         private static bool EnableAdminToggle

    9         {

   10             get { return Context.User.IsAdministrator; }

   11         }

   12         protected override void OnLoad(System.EventArgs e)

   13         {

   14             base.OnLoad(e);

   15             if (!EnableAdminToggle && Administrator != null)

   16             {

   17                 Administrator.Disabled = true;

   18             }

   19         }

   20     }

   21 }

Again I’ve copied the original XAML file to the override folder and here are the (visual) results. You can click on the image to see the images in the original size:

As you could see this wasn’t rocket-sience. I wouldn’t even say it was sience at all. These enhancement can be easily made by anyone who is able to create a .NET Class Library project.
As mentioned in the topic, this is also submitted to the Core team. Hopefully, they will changing this behaviour in the upcoming version. Until this version is released, you can:

Have fun :).

Btw: Neither LECTRIC, Sitecore or myself is responsible for any harm caused by this fix/extension. You are responsible for testing everything on your development environment and for installing it in a right way. Hope that’s clear 🙂