• 8718
  • 1 Sep 2016
  • 15 Feb 2021
  • High
  • Sales
  • Reported
  • Bug

Steps to Reproduce

In the SuperOffice Web admin, you have the ability to disable the Other/System users.  But when doing so, you expect that you can't login anymore with these users. But on the contrary, disabling them does not prohibit these accounts from logging in. Tested in SO 8 SR2,

Step by step to reproduce:
Log in to Web Admin
Go to Other Users
Edit a user (like crm7) and put the user as Inactive
Save the setting
Try to login as crm7 user in Web Admin
Notice that you are able to login as crm7 user and access REST API.

When checking the options from crm7 user, notice that the user switched from Inactive to active again.

Note: the isActive flag in the Credentials table is always set to 1 even when GUI shows Inactive as ticked.



[2020.11.24: marcu]

Is this bug hard to fix or why is this kind of security focused bug not fixed for several releases ( three years?? )?

I seems quite useless to barricade the front door when the kitchen door is wide open... :)