All users have administrator privileges

[Nikopol315]

I'm confused, why all users have administrator privileges(every user can change a password of other users)?

It seems to be a big security leak. Isn't it?

If a user does not have an access to the project, it can easily change a password of another user, who has admin privileges. Then, it can login as a project administrator user and give the same admin privileges for the project to the any user

[Nikopol315]

It's the awesome project! Nice GUI to run ansible tasks. Many thanks to the author!

But, because of this issue, I'm not able to use it in my organisation :(

[rakshazi]

@Nikopol315 as for 2.0.4, only user with admin rights can perfom admin actions in project, but buttons (and links) still visibly for all users.
You can test it:

1. Create 2 users: admin (with admin rights for project) and user (without admin rights)
2. Try to remove or edit existing project with admin user - all ok, you can do that.
3. Try to remove or edit existing project with user user - you will see error on this actions.

[matejkramny]

Thanks for reporting

[akentosh]

Any ideas on when the fixes will be merged?

[matejkramny]

hmm soon hopefully. Haven't given much attention to this project recently unfortunately.

[twhiston]

fixed by #405