Bug + Security Issue: Error 403 - switching users CHTv4 web

Technical Support
1

Hi Medic team,

With CHT v4, when I login as one user and then logout, and try to login as a new users, I get this error message: “Access denied: You have insufficient privileges to view this page. Talk to an administrator to increase your privileges.”

The url for the login keeps the username for the first person. If I clear that part of the URL out, I can then login. I shared with my colleague Ian who gave this summary:

Not you or your browser. It’s a fun party trick that’s part of the CHT web app. I don’t see a way you can disable it. If you ask me, including a unlogged-in username in the URL is itself a security vulnerability. Also, there whole logout functionality just seems… broken (if I clicked logout, it shouldn’t be telling the app to redirect me to the page I was just on).

Can you please resolve asap? We are rolling out CHTv4 on webapp with users who share tablets in kiosk mode. Thus logging in/out will be commonplace for our use case.

Thanks! @cliff

1 Like
2

Hi @Beth

Indeed we try to allow easier relogs when users logout, and there is no way to turn this behavior off. I can’t find when this was added, but this was definitely a feature in CHT v3 (for example this is an issue where we did have a problem removing the redirect when the user changed: Remove redirect from log out. · Issue #6479 · medic/cht-core · GitHub and was resolved in CHT 3.9).

However, I’m trying to replicate the behavior that you are describing as a bug where your new logged user gets redirected to an incorrect page, and cannot.
We have code in API that will ignore the redirect parameter if the new logged in user is different: cht-core/api/src/public/login/script.js at master · medic/cht-core · GitHub . So the new logged in user will be redirected to their “home” instead of the previous user’s page.

I’m suspecting that this is related somehow to how you have set up your users permissions.

1 Like
3

I was also initially unable to reproduce the issue with two valid users who can log in independently, but can not log in right after one another… I was able to reproduce it by creating a new user with only usertype.national_admin role. When I logged in I saw this:

image
image800×528 11.3 KB

A fix was go give the user more permissions with the Program Officer Role. When I did this, I immediately saw this in my other session where I saw the Access denied:

image
image628×263 14.2 KB

Confusingly, when I clicked “Reload” I was shown the same 403 URL (see “B”) and reloading didn’t fix it. That said, clicking any of the icons (see “A”) or “Back” did fix it:

image
image1028×600 34.4 KB

@Beth - to verify our theory of a user permission error, can you try:

  1. ensure you’re logged out
  2. go to the base URL of your instance with no path (eg https://cht.example.org).
  3. login with the user in question

I expect you’ll see a permissions error, nothing to do with any other user. If yes, please see if editing the user roles fixes the issue. If no, let us know!

2 Likes
4

thanks @mrjones i have followed the steps here and on logging in with the user in question i see the permission error

5

@mrjones could you kindly clarify more on this .?
Thanks

6

This is great! Thanks for verifying that the error you’re seeing has nothing to do with the login URL as @Beth initially thought. Instead, this means you need to fix your user permissions so they’re allowed to login and view the UI.

I don’t know your hierarchy, but the fix for me when using the default config was to give my user the Program Officer Role. When I did this, I was able to login without error. If you’re unsure what role does what, you can login as an admin and compare the permissions each role has on the permissions page (eg http://cht.example.org/admin/#/authorization/permissions)

See our docs for a complete list of permissions.

1 Like
7

thanks @mrjones well according to the hierarchy the user in question here is a Social worker or Case Manager who are below the National manage , Regional manager , so we can’t grant them top level permissions for the Program officer

8

@mrjones i have tested this out on other systems(3.x app versions) and all works fine when you login with one use after another subsequently . Not sure of the exact user permission that is to rectify this though still investing

9

Thanks for the update Cliff. It’s not any specific hierarchy - that is entirely customizable per deployment. It is the permissions that you have granted to each role in the hierarchy. Permissions are static, but the configuration of which roles have them is what changes.

@diana - do you have some guidance on which permissions would cause the Access denied error we’re seeing here and which would unblock a given role?

10

Hi @cliff

One of the things that changed with 4.x us that we have deprecated national_admin role. In 3.x, this role was hardcoded to have a number of special permissions granted to them without needing to explicitly set them in the config.
As of 4.x, this role gets no additional permissions.

This doesn’t have anything to do with hierarchy.

Can you share:

  1. the list of roles that the users that are seeing this error have
  2. the list of roles you have configured for the app

I’m suspecting these users only have national_admin roles and this role is not configured explicitly in your configuration.

11

hello @diana @mrjones sorry for the delayed response…
i noticed that the users where this error was happening had been deleted .
so i tried a fresh new 4.15 app version with just only the default medic user and added in a new user called cliff

Then i logged out as a medic user and then logged in again as cliff user and all was okay . Then logged out as cliff user and logged in again as medic user and all was fine

12

@diana @mrjones here the fresh new roles and permissions

 "roles": {
      "national_admin": {
        "name": "usertype.national-manager"
      },
      "district_admin": {
        "name": "usertype.district-manager",
        "offline": true
      },
      "gateway": {
        "name": "usertype.gateway"
      },
      "intervation_admin": {
        "name": "usertype.intervation-administrator"
      },
      "clinical_admin": {
        "name": "usertype.clinical-administrator",
        "offline": false
      },
      "case_manager": {
        "name": "usertype.case-manager",
        "offline": true
      },
      "site_lead": {
        "name": "Site Lead",
        "offline": true
      },
      "social_worker": {
        "name": "Social Worker",
        "offline": true
      }
    },
    "permissions": {
      "can_export_messages": [
        "national_admin"
      ],
      "can_export_forms": [
        "national_admin"
      ],
      "can_export_contacts": [
        "national_admin"
      ],
      "can_export_feedback": [
        "national_admin"
      ],
      "can_view_analytics": [
        "national_admin"
      ],
      "can_view_data_records": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_unallocated_data_records": [
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_users": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_edit": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_log_out_on_android": [
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_update_messages": [
        "national_admin"
      ],
      "can_update_users": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_export_dhis": [
        "national_admin"
      ],
      "can_update_people": [
        "national_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_update_places": [
        "national_admin"
      ],
      "can_create_records": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_access_gateway_api": [
        "gateway"
      ],
      "can_create_users": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_create_people": [
        "national_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_create_places": [
        "national_admin"
      ],
      "can_view_tasks": [
        "district_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_tasks_tab": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_configure": [
        "national_admin"
      ],
      "can_view_messages": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_messages_tab": [
        "national_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_reports": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_reports_tab": [
        "national_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_analytics_tab": [
        "national_admin"
      ],
      "can_view_contacts": [
        "national_admin",
        "intervation_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_contacts_tab": [
        "national_admin",
        "intervation_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_edit_profile": [
        "national_admin",
        "district_admin",
        "intervation_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_delete_reports": [
        "national_admin",
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_bulk_delete_reports": [
        "national_admin",
        "district_admin",
        "intervation_admin",
        "clinical_admin"
      ],
      "can_update_reports": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_delete_contacts": [
        "national_admin",
        "case_manager"
      ],
      "can_delete_messages": [
        "national_admin"
      ],
      "can_delete_users": [
        "national_admin",
        "case_manager"
      ],
      "can_view_outgoing_messages": [],
      "can_export_all": [
        "national_admin"
      ],
      "can_view_uhc_stats": [],
      "can_aggregate_targets": [
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_last_visited_date": [
        "clinical_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_edit_verification": [
        "district_admin"
      ],
      "can_verify_reports": [
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_call_action": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_message_action": [
        "national_admin",
        "case_manager",
        "site_lead",
        "social_worker"
      ],
      "can_view_tasks_group": [],
      "can_write_wealth_quintiles": [],
      "can_upgrade": [],
      "can_view_old_navigation": [],
      "can_default_facility_filter": [
        "site_lead",
        "social_worker"
      ],
      "can_have_multiple_places": [],
      "can_export_devices_details": []
    },

what kind of permissions can i grant the national_admin role to behaves as a CouchDb admin?

13

Hi @cliff

Nothing behaves as a couchdb admin except for a couchdb admin. What about being an admin do you need for this role?

14

thanks @diana for the feedback , well i decide to use national_admin than configuring the _admin role

15

HI @cliff

You can’t configure the _admin role. This is a builtin CouchDb role and you won’t be able to just give users this role, users need to be created as db admins.

Is there something specific that you need these users to do that requires admin permissions?

1 Like
16

thanks @diana for the clarification on the _admin role .
Well just wanted with them to be able to get access to the DB documents which the national_admin role covers now

17

Yes, there is no similar role to national_admin. national_admin was basically granted db “admin” role, but without being able to actually access couchdb admin-only endpoints.
Now the only users that can do what national_admin did are db admins.

A regular online user already has access to all CouchDb documents, except they can’t edit forms, resources, and some other admin-only documents. Full list is here: cht-core/ddocs/medic-db/medic/validate_doc_update.js at master · medic/cht-core · GitHub

I suggest you experiment with setting these users up as online users and grant them permissions as you see fit.

1 Like
18

thanks @diana makes sense