Check for lowered privilege periodically so that when owner becomes non-owner privileges are revoked.

project-anacapa / course-github-org-tool

PLEASE USE: https://github.com/project-anacapa/github-roster-tool instead!

https://github.com/project-anacapa/github-roster-tool

MIT License

1 stars 4 forks source link

Check for lowered privilege periodically so that when owner becomes non-owner privileges are revoked. #31

Open pconrad opened 7 years ago

pconrad commented 7 years ago

There is a small security vulnerability that is not likely to cause problems in practice.

If you revoke someone's "owner" status in an org, but they are still are still logged in, they will retain admin rights in the Rails App until they log out.

If there is a way to mitigate this easily, we should do it.

attritionorg commented 7 years ago

If you change their privileges, can terminate their session, force them to authenticate again inheriting the new privileges.