While this isn’t a super serious security issue (you need admin rights to exploit it), this does defeat the purpose of the email token for backup downloads. I’d assume that the same problem also exists for the token to grant admin rights to another account.
I’m not sure what’s the best way to tackle this, maybe sending tokens can skip Sidekiq entirely?
Why does it? Only admins can access sidekiq and get the download token. An admin could visit /admin/backups and request a download token himself and it would have the same result…
But the whole point of having these tokens was to protect against the worst consequences in case an admin session or password is stolen, assuming that the admin’s email account is still safe.
For reference, here’s the post when the feature was announced:
Also, see this post for when tokens were introduced for granting admin privileges:
If admins can simply get these tokens from Sidekiq, why do we have these tokens at all? There’re here as a form of two-factor authentication for the most sensitive actions an admin can take.