During a pentest done against a Trident instance, it was observed that trustgroup administrators can change trustgroup members' profile data.
Whether this was initially supposed to be allowed or not, it should not be permitted for Trustgroup Administrators to change profile data for sysadmin level users. I propose that if a trustgroup administrator is attempting to change a system administrator's profile data that they get an error, and that only system administrators or the user themselves should be changing other sysadmins' profiles.
During a pentest done against a Trident instance, it was observed that trustgroup administrators can change trustgroup members' profile data.
Whether this was initially supposed to be allowed or not, it should not be permitted for Trustgroup Administrators to change profile data for sysadmin level users. I propose that if a trustgroup administrator is attempting to change a system administrator's profile data that they get an error, and that only system administrators or the user themselves should be changing other sysadmins' profiles.