I was testing user privileges(specifically the login as user using admin user session id) and found out one scenario which I couldn't determine whether its valid or not.
Steps I tried:
I created a new admin role which doesn't have privilege to login as user but just able to view customer records like review) and linked to user1. Note: Edit privilege is disabled so it automatically hides the Login button under Customers UI.
I logged into Admin app using user1 and can rightly see "login" button hidden.
I picked up the user1 session ID and directly passed into ?AdminLoginSubmit.do?id=SOME_VALID_USERID&sess=(user1_sess_id)
Expected:
User shouldn't be logged into since user1 doesn't have privilege.
Actual:
I logged into the user.
Is that expected, a valid scenario or is it implemented such a way that any Admin users session id bypasses privilege settings in this case?