You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I verified that the problem does not come from a plugin
I verified that the problem is not already reported
I understand that Kanboard is in maintenance mode. It doesn't mean it's abandoned, but there is no significant feature development
Actual behaviour
A remote administrator is able to change their user name, resulting in unexpected behavior. Most severely existing projects are not visible or accessible anymore.
Expected behaviour
Remote administrators should not be able to change their own user names.
Steps to reproduce
Prerequisite: Kanboard is configured to accept logins from users via LDAP. At least one of the users is configured as an administrator (by adding the respective Active Directory Group to the Kanboard configuration file). Create at least one project with this user.
Login into Kanboard as an remote administrator
Go to "My profile" (top right, user settings)
Under Actions, select "Edit profile"
Change the username and click save
Try to login with the new username
After logging out it is not possible to login with the newly chosen username, however the LDAP username should still be able to login. After a successful login with the LDAP username, all previously created projects are gone. Under users management there are now two users, the original LDAP user and the "new" user which was created when the administrator changed their own username. If the duplicate user is deleted from the dashboard, the original LDAP user can still login. However, I was not able to recover any of the projects (created or member of) from before the username was changed (in my case data recovery is not important!).
Screenshots
Logs
Configuration
Kanboard version: 1.2.34
Database type and version: 10.8.8-MariaDB
PHP version: 8.0.30
OS:
Browser: Google Chrome
The text was updated successfully, but these errors were encountered:
Checklist
Actual behaviour
A remote administrator is able to change their user name, resulting in unexpected behavior. Most severely existing projects are not visible or accessible anymore.
Expected behaviour
Remote administrators should not be able to change their own user names.
Steps to reproduce
Prerequisite: Kanboard is configured to accept logins from users via LDAP. At least one of the users is configured as an administrator (by adding the respective Active Directory Group to the Kanboard configuration file). Create at least one project with this user.
After logging out it is not possible to login with the newly chosen username, however the LDAP username should still be able to login. After a successful login with the LDAP username, all previously created projects are gone. Under users management there are now two users, the original LDAP user and the "new" user which was created when the administrator changed their own username. If the duplicate user is deleted from the dashboard, the original LDAP user can still login. However, I was not able to recover any of the projects (created or member of) from before the username was changed (in my case data recovery is not important!).
Screenshots
Logs
Configuration
The text was updated successfully, but these errors were encountered: