• Welcome to KonaKart Community Forum. Please login or sign up.
 

a user privilege question

Started by Pier39, May 21, 2012, 04:08:48 pm

Previous topic - Next topic

Pier39

I was testing user privileges(specifically the login as user using admin user session id) and found out one scenario which I couldn't determine whether its valid or not.

Steps I tried:
I created a new admin role which doesn't have privilege to login as user but just able to view customer records like review) and linked to user1. Note: Edit privilege is disabled so it automatically hides the Login button under Customers UI.
I logged into Admin app using user1 and can rightly see "login" button hidden.
I picked up the user1 session ID and directly passed into ?AdminLoginSubmit.do?id=SOME_VALID_USERID&sess=(user1_sess_id)

Expected:
User shouldn't be logged into since user1 doesn't have privilege.

Actual:
I logged into the user.

Is that expected, a valid scenario or is it implemented such a way that any Admin users session id bypasses privilege settings in this case?