Grant Admin without LoggingIn


(Diego Barreiro) #1

I’m not sure if this should be done without logging in, but I was able to grant admin without logging in with my account:


What I’ve done was to Grant Admin to an user, logout, hit thr hab nk on the email and I verified the admin

I think that forbgranting administration it must be required to be signed in in all process, not just in the beggining, because anyone can accept that admin access :confused:


(Felix Freiberger) #2

How? Accepting that requires the link in the mail.
If an attacker can somehow get links in mails sent to you, he can also just reset your password and login.