Issue opened. Thanks for your help!
# troubleshootingk
kevs1198
05/16/2023, 2:14 AMIssue opened. Thanks for your help!
n
Needle
05/16/2023, 2:14 AMHere's a brand new thread for you! Please keep the discussion for this problem in this thread.
n
nitnelave
05/16/2023, 2:25 AMYou're welcome!
nitnelave
05/16/2023, 2:26 AMI think the issue means that a non-admin user can change an admin user's password... That's not great 😅
nitnelave
05/16/2023, 2:27 AMI mean, there's no UI for that, but with a well crafted client, it's possible
nitnelave
05/16/2023, 2:31 AMah, no, there's a double-check, so it's not possible. Phew
nitnelave
05/16/2023, 2:34 AMHmm, looking closer, the code seems correct: The logged in user needs to have the change-password permission for the target user, which it does if:
- it's the same user (can change your own password)
- it's an admin (can change every password)
- it's a password manager and the target user is not an admin (privilege escalation)
nitnelave
05/16/2023, 2:48 AMSomething else happened in your session: I'm guessing that the current user somehow became admin after logging in, and that the changes in permissions were not reflected until after logging out/back in
nitnelave
05/16/2023, 2:48 AM@kevs1198 Can you confirm that an admin can change a password_manager's password?
k
kevs1198
05/16/2023, 10:06 PMYes. I think you are right about permissions not being refreshed. I may have done that without logging out I'm not sure