Hi,
I found a user who had been made a Super admin by an Admin, in error.

The Admin had used the More Actions option in the Organisation chart to edit a user's password, they had ticked the New password, populated the boxes and also ticked the Level which by default is set to Super admin.

This resulted in a level change, giving a user, Super admin privileges and access to all user's details.

This was in a site running 3.01, I have tested it and it is still possible in 4.0.7.

Can this be amended in the Administrator profile settings?
See image
Cheers
Graeme

Hi Graeme, it's not a bug, but I agree, an Admin should not be capable of changing levels at all, or, if needed, should not be capable of elevating levels. This is a privilege escalation vulnerability of Forma.

Hi,
I agree Admins have no need to change levels.
It’s also a GDPR risk which is a concern.

Graeme

Hello,
got it, we'll get back with a fix asap

Hi Max,
Thank you.
Cheers
Graeme

Hi Graeme,
thanks for reporting and I inform you that we have released version 4.0.9 in which the problem has been resolved.
Greetings