Open
Description
Describe the bug
Users that are assigned to the "Legal" group and have Staff Status enable, currently posses the following permissions among others, as documented by the permission matrix:
- Change dataspace
- Add users
- Change users
This appears to have unintended or at least unexpected consequences from the perspective of DejaCode users. Users with the permissions as described above can perform the following actions:
- Increase their privilege by making themselves a superuser
- Remove permissions from higher privileged accounts such as superusers
- Deactivating higher privileged users such as superusers
As such assigning a user to the "Legal" group and giving them Staff Status is effectively the equivalent of making them a superuser.
To Reproduce
- Create a user
- Assign them to the "Legal" group
- Enable Staff Status
- Log in as the user you have created
- Check that you can escalate your own privileges and edit superusers
Expected behavior
- Users should not be able to give themselves higher permissions
- Users should not be able to edit user accounts that have higher permissions than themselves
- It is questionable that the "Legal" group needs to manage the dataspace and users at all, as this is an administrative task
Screenshots
n.a.
Context (OS, Browser, Device, etc.):
n.a.