Admin Password can be reset by others admin users

fred4jupiter / fredbet

Simple football betting application using Spring Boot, Thymeleaf and Bootstrap. Well prepared for betting with friends.

MIT License

119 stars 63 forks source link

Admin Password can be reset by others admin users #34

Closed jotiprime closed 2 years ago

jotiprime commented 2 years ago

If a user have a admin role, can password reset the admin default user. It will be better that the password of the admin user will not be reseteable.

fred4jupiter commented 2 years ago

Yes, that´s the way it is implemented now. I depends on the perspective. Otherwise the admin account is not "recoverable" if you cannot reset it by another admin user. But I understand you point. I may think about it.

fred4jupiter commented 2 years ago

If changed the behaviour so that the admin user will not be shown in the user list for other admins. This way other admins cannot update the default admin user. See latest release version 2.8.3