Administrator can downgrade his session

Issue description

It is currently possible for an administrator to change the user of the session. This is isolated and does not affect the whole session, but he could downgrade his session to a user session after the respective function is called.

Developer comments

This will be no longer possible after [13655, this issue] is resolve, because currently the session is held in a globally and in the near future it will be bound by a readonly property to the request and the global access will disappear.

Reporting date

2024-11-12

Resolving date

2025-03-06

Resolved by

Robert Cerny

Resolved in version

Topincs 10.0.0 - next major release

Part of

Harden against malicious admin(Enhancement)

Related to

Remove global state(Change)