Project

General

Profile

Actions
Copy link

Bug #5294

closed

System users and groups not fully protected from deletion

Added by Fernando Munoz over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
2.2.5
Start date:
10/10/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

It's possible to shoot yourself on the foot and delete the admin user and all/admin groups.

1. Configure tamper data/ burpsuit

Delete admin user - Steps to reproduce
2. Create any user
3. Attempt to delete that user and modify the http request, put user id 0 and name admin
4. admin will be deleted

Delete all/admins groups
2. Create a group called all or admins
3. Attempt to delete the group created and modify thehttp request, put group id 0 if using all or 1 if using admins
4. group will be deleted

This checks should be applied on the server side before attempting to do the action and not just when showing the menu.

Actions
Copy link

Also available in: Atom PDF