Disabling System Users can log in and access REST API
Status: Reported
Steps to Reproduce
In the SuperOffice Web admin, you have the ability to disable the Other/System users. But when doing so, you expect that you can't login anymore with these users. But on the contrary, disabling them does not prohibit these accounts from logging in. Tested in SO 8 SR2,
Step by step to reproduce:
Log in to Web Admin
Go to Other Users
Edit a user (like crm7) and put the user as Inactive
Save the setting
Logout
Try to login as crm7 user in Web Admin
Notice that you are able to login as crm7 user and access REST API.
When checking the options from crm7 user, notice that the user switched from Inactive to active again.
Note: the isActive flag in the Credentials table is always set to 1 even when GUI shows Inactive as ticked.
info
Please log in to comment.
Details
| Issue id | 8718 |
| Registered | 1 Sep 2016 |
| Last modified | 15 Feb 2021 |
| Severity | High |
| Area | Sales |
| Status | Reported |
| Target release | |
| Type | Bug |
Comments
[2020.11.24: marcu]
Is this bug hard to fix or why is this kind of security focused bug not fixed for several releases ( three years?? )?
I seems quite useless to barricade the front door when the kitchen door is wide open... :)