VRM no full access but still be able to delete site. Security bug?

Question

question

nielsla asked Oct 21, '23

VRM no full access but still be able to delete site. Security bug?

Hi @Johannes Boonstra (Victron Energy Staff) ,

One of our customers has permission to see our demo site, but he doesnt have the 'full access' role. He told me that if he log in to our VRM, goes to our dashboard and click on the logo, he is directed to a new tab and is able to make changes. He can change our Avatar, see our personal phone numbers and delete the complete site. I am wondering if this is possible and if it's safe enough? If I try to delete site as a limited role, it looks like it is possible....

Thanks

Niels from LithiumAccus.nl

VRM

2 |3000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

Modifications Space

Node Red Space

Answer 1 · 2023-10-25T07:51:06Z

mvader (Victron Energy) answered · Oct 25, 2023 at 07:51 AM

Hi @NielsLA , thanks for reporting!

We checked, and even though they can see the page, and though it looks like they can make changes, they cannot really make changes: As soon as you try to make a change, it will say access denied.

But, still confusing, we'll no longer allow access to that page for such users.

Matthijs

2 |3000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

question