Further restrict UserInvite action to those with TeamEdit and TeamCreate permissions #3864
Labels
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Summary
To further reflect the intention of the power of
UserInvite
it will now require additional privileges to be granted.Reasoning
By inviting a user to an existing team, the user is editing a team, and causing the creation of a user. This would allow them to invite a user to a team with greater privilege than their own. To make it clear they will now require
TeamEdit
which makes it more obvious the power of this action.CVE
CVE-2017-15611
The text was updated successfully, but these errors were encountered: