The user can add switch permissions of users not in their team, which goes against the principle of least privilege. There is little reason for users who are not belonging to a team to have switch permissions for member/s of that team.
The user chooses switch permissions on the User Profile settings page as shown below:
The user can add switch permissions of users not in their team, which goes against the principle of least privilege. There is little reason for users who are not belonging to a team to have switch permissions for member/s of that team.
The user chooses switch permissions on the User Profile settings page as shown below:
Area of the code where access could be denied:
https://github.com/rropen/absense-planner/blob/9cb1ab09322e6a43eb4d8de861ca64f15aa864f6/ap_src/ap_app/views.py#L267-L280