Ticket #4491 (closed Bug: fixed)
Opened 10 years ago
prefs_users_overview exposes security related information
|Reported by:||rafrombrc||Owned by:|
For non-managers, there is no link to the prefs_users_overview template, but if a user types the URL into his/her browser the page will display. Furthermore, it will allow searches, and will return the correct user roles for each of the users that are in the search results. They are not given the ability to change these roles, thankfully, although the interface wrongly implies that they can.
Ideally this screen would either not be available at all to users w/o the appropriate role management permissions, or else the search results should be modified to not display the role information. The first option probably makes more sense and would be easier to implement.