User is able to lock their own account
If a user has permission to view certain details of others' accounts (like for example allowing colleagues to share mobile numbers via the directory), and they have the permission to modify certain parts of their own information (ie via editowninfos), then they are able to lock their own account (which I do not want them to be able to do). Despite their being no specific permission granted to this property, a person is nonetheless able to affect it.
(from redmine: issue id 5397, created on 2017-02-19, closed on 2017-03-23)
- Changesets:
- Revision fc583418 by Côme Chilliet on 2017-03-13T10:06:17.000Z:
Fixes #5397 Use a separate ACL for account locking
- Revision db40f923 by Côme Chilliet on 2017-03-23T09:24:02.000Z:
Fixes #5397 Use a separate ACL for account locking
- Custom Fields:
- Bug in version: 1.0.19