Details
-
Bug
-
Resolution: Fixed
-
High
-
2.4.0
Description
With "Administrator" permission I go to the global permissions page (http://<host>:7990/admin/permissions).
1. Type in the name of another user without any global permissions.
2. Select "System Administrator" as permission.
3. Press save.
Expected result:
Stash would deny me creating a "System Administrator" since I am only a "Administrator".
Actual result:
Stash allows me to create a "System Administrator".
Since I can create users I'm able to create a new user give that user "System Administrator" permissions, and then log in as that user. Thus elevating my privileges.