Remote administrator changes username, resulting in loss of project data

[feldoe]

Checklist

• I verified that Kanboard is correctly installed
• I verified that the problem does not come from a plugin
• I verified that the problem is not already reported
• I understand that Kanboard is in maintenance mode. It doesn't mean it's abandoned, but there is no significant feature development

Actual behaviour

A remote administrator is able to change their user name, resulting in unexpected behavior. Most severely existing projects are not visible or accessible anymore.

Expected behaviour

Remote administrators should not be able to change their own user names.

Steps to reproduce

Prerequisite: Kanboard is configured to accept logins from users via LDAP. At least one of the users is configured as an administrator (by adding the respective Active Directory Group to the Kanboard configuration file). Create at least one project with this user.

1. Login into Kanboard as an remote administrator
2. Go to "My profile" (top right, user settings)
3. Under Actions, select "Edit profile"
4. Change the username and click save
5. Try to login with the new username

After logging out it is not possible to login with the newly chosen username, however the LDAP username should still be able to login. After a successful login with the LDAP username, all previously created projects are gone. Under users management there are now two users, the original LDAP user and the "new" user which was created when the administrator changed their own username. If the duplicate user is deleted from the dashboard, the original LDAP user can still login. However, I was not able to recover any of the projects (created or member of) from before the username was changed (in my case data recovery is not important!).

Screenshots

Logs

Configuration

• Kanboard version: 1.2.34
• Database type and version: 10.8.8-MariaDB
• PHP version: 8.0.30
• OS:
• Browser: Google Chrome