Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-4856

Regular admins are capable of changing the role of super admins

    XMLWordPrintable

Details

    • 1
    • Severity 3 - Minor
    • No

    Description

      Issue Summary

      A regular admin has the ability to modify the role of a super admin account.  This means that regular admins with the administration > people permission could hijack a JA instance from their super admins, or that an instance could end up with no super admins.  This should be seen as a security gap.

      Realistically, you would expect that a non-super admin would see the role dropdown as read-only when editing the account of a super admin.

      Steps to Reproduce

      1. Log into a non-super admin user account that has permissions to edit people (users)
      2. Go to Administration > People and search for an account that is a known super user.
      3. Click on the roles dropdown and change the super admin role to anything else.

      Expected Results

      This dropdown would be read-only - or changes to this field should not be savable.

      Actual Results

      The super admin user's role is changed to whatever was selected, and their super admin permissions are lost. 

      Workaround

      No workaround possible, aside from making sure that any admins below SA do not have people level permissions.

      Attachments

        Activity

          People

            940aaf7b0db4 Sheila Kelly
            b9109d53fd18 Todd Hall
            Votes:
            8 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Backbone Issue Sync