Jayden876212
commented
3 months ago An improvement to this could be made with #269
Open Jayden876212 opened 3 months ago
Jayden876212
commented
3 months ago An improvement to this could be made with #269
The user can add switch permissions of users not in their team, which goes against the principle of least privilege. There is little reason for users who are not belonging to a team to have switch permissions for member/s of that team.
The user chooses switch permissions on the User Profile settings page as shown below:
Area of the code where access could be denied:
https://github.com/rropen/absense-planner/blob/9cb1ab09322e6a43eb4d8de861ca64f15aa864f6/ap_src/ap_app/views.py#L267-L280