[Deploying Sakai] Elevating privileges on Sakai

Steve Swinsburg steve.swinsburg at gmail.com
Tue Oct 18 17:34:45 PDT 2011

Hi Leon,

It sounds like you've given the access user role the site.upd permission. Possibly in the template.

That is what allows a user to change things in the Site Info tool. You should disable that immediately and then update all realms.

You want site.visit only in that list of site ones.


On 19/10/2011, at 11:25 AM, Leon Kolchinsky wrote:

> Hello,
> We're using Sakai 2.6.2 version.
> Recently, one of our users raised concern about "access" and "maintain" users.
> The problem is that any "access" user can go to "Site info"->"Manage Access" and change "Role for people that join site:" from access to maintain.
> Now if this site is joinable, any new user will have "maintain" access rights and would be able to change permissions/delete members/even delete site !
> Are you aware of this issue?
> Any tips on how to fix/workaround this problem?
> Cheers,
> Leon Kolchinsky
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20111019/9deec43d/attachment.html 

More information about the production mailing list