Security issue: it is possible for non-admin to become an admin

RailsApps / rails-stripe-membership-saas

An example Rails 4.2 app with Stripe and the Payola gem for a membership or subscription site.

http://railsapps.github.io/rails-stripe-membership-saas

1.14k stars 232 forks source link

Security issue: it is possible for non-admin to become an admin #89

Closed e11s closed 9 years ago

e11s commented 10 years ago

When non-admins are changing their role, instead of posting one of the role ids available on the page, they can post the role id of admin role - this assigns them an admin role.

Some kind of check should be made when updating roles not to allow non-admins to assign admin roles.

DanielKehoe commented 9 years ago

There is a new version of this application for Rails 4.2 using the Payola gem.