You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix an internal vulnerability where a user can technically edit ALL other users information by simply changing the ID in the Url. Yeah, I know...... https://www.crisiscleanup.org/admin/users/5977/edit (change 5977 to 1 and see what i mean)
upgrade the users page with the following information:
Name
Mobile number
email
My Organization (as a label) "Change Organizations" button (see issue User Change Organization #386 )
___ List me as a contact for my organization. (see issue TBD)
Admin checkbox. Only if you are an admin, do you see the Admin Checkbox. This now gives yo admin powers.
Add deactivate user to this page. Be sure to pop up a "Are you sure" message first. see issue #387
The text was updated successfully, but these errors were encountered:
As part of our hackathon today, we have looked at the first part of this issue. What we've found is that if you're logged in as an admin, you're able to switch between users and update their information at will. If you're logged in as a regular user, you are not able to switch in the manner described. Instead, you'll be dropped back to the dashboard page if you attempt to access a page that you don't have the proper permissions to hit.
Assuming that the admin users should be able to access and edit all users, this seems to be the correct behavior. None of us were able to replicate this behavior with a standard user.
If there's any more information that would help us repro on a standard user, please let us know!
On Oct 27, 2017, at 11:23 AM, Jenny ***@***.***> wrote:
Hey crew.
As part of our hackathon today, we have looked at the first part of this issue. What we've found is that if you're logged in as an admin, you're able to switch between users and update their information at will. If you're logged in as a regular user, you are not able to switch in the manner described. Instead, you'll be dropped back to the dashboard page if you attempt to access a page that you don't have the proper permissions to hit.
Assuming that the admin users should be able to access and edit all users, this seems to be the correct behavior. None of us were able to replicate this behavior with a standard user.
If there's any more information that would help us repro on a standard user, please let us know!
--Jenny
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
You're going to love this one https://www.crisiscleanup.org/admin/users
https://www.crisiscleanup.org/admin/users/5977/edit (change 5977 to 1 and see what i mean)
Name
Mobile number
email
My Organization (as a label) "Change Organizations" button (see issue User Change Organization #386 )
___ List me as a contact for my organization. (see issue TBD)
Admin checkbox. Only if you are an admin, do you see the Admin Checkbox. This now gives yo admin powers.
Add deactivate user to this page. Be sure to pop up a "Are you sure" message first. see issue #387
The text was updated successfully, but these errors were encountered: