search

CrisisCleanup / crisiscleanup-2

[OLD] This version of the codebase was retired on March 27, 2020. Open Source Collaborative Disaster Recovery and Cleanup
https://www.crisiscleanup.org
Other
42 stars 24 forks source link

User Details. #385

Closed arroyoDev closed 6 years ago

arroyoDev commented 7 years ago

You're going to love this one https://www.crisiscleanup.org/admin/users

  1. Fix an internal vulnerability where a user can technically edit ALL other users information by simply changing the ID in the Url. Yeah, I know......
    https://www.crisiscleanup.org/admin/users/5977/edit (change 5977 to 1 and see what i mean)
  2. upgrade the users page with the following information: Name Mobile number email My Organization (as a label) "Change Organizations" button (see issue #386 ) ___ List me as a contact for my organization. (see issue TBD) Admin checkbox. Only if you are an admin, do you see the Admin Checkbox. This now gives yo admin powers.

Add deactivate user to this page. Be sure to pop up a "Are you sure" message first. see issue #387

screen shot 2017-09-21 at 1 27 25 pm

pantherchild commented 6 years ago

Hey crew.

As part of our hackathon today, we have looked at the first part of this issue. What we've found is that if you're logged in as an admin, you're able to switch between users and update their information at will. If you're logged in as a regular user, you are not able to switch in the manner described. Instead, you'll be dropped back to the dashboard page if you attempt to access a page that you don't have the proper permissions to hit.

Assuming that the admin users should be able to access and edit all users, this seems to be the correct behavior. None of us were able to replicate this behavior with a standard user.

If there's any more information that would help us repro on a standard user, please let us know!

--Jenny

arroyoDev commented 6 years ago

Hi Jenny.

Would you mind giving me a call at 601-434-4099?

Sent from my iPhone

On Oct 27, 2017, at 11:23 AM, Jenny notifications@github.com wrote:

Hey crew.

As part of our hackathon today, we have looked at the first part of this issue. What we've found is that if you're logged in as an admin, you're able to switch between users and update their information at will. If you're logged in as a regular user, you are not able to switch in the manner described. Instead, you'll be dropped back to the dashboard page if you attempt to access a page that you don't have the proper permissions to hit.

Assuming that the admin users should be able to access and edit all users, this seems to be the correct behavior. None of us were able to replicate this behavior with a standard user.

If there's any more information that would help us repro on a standard user, please let us know!

--Jenny

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.