Bug #15790

[Workbench2] Non-admin users can access admin pages via urls

Added by Eric Biagiotti almost 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Workbench2
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-
Release relationship:
Auto

Description

Your token is the same so you can only see data you have access to and perform operations the API lets you. For example, I was able to delete my links, and create a group, but I couldn't make myself an admin.

Before routing to admin pages, we should be checking that the current user is an admin.

History

#1 Updated by Eric Biagiotti almost 2 years ago

  • Description updated (diff)

#2 Updated by Eric Biagiotti almost 2 years ago

  • Description updated (diff)

#3 Updated by Peter Amstutz over 1 year ago

  • Release set to 20

Also available in: Atom PDF