Base solution for your next web application
Open Closed

Prevent Impersonation #10048


User avatar
0
OutdoorEd created
  • ASPNET Zero 8.5.0.0
  • MVC
  • NET Core

This is a multitenant application. I login as Host and then go to a Tenant and select a User to login as (User A). User A has a Role that allows for adding Users but not Roles. As User A role I can see all the Users in the User Grid. As User A I can click the Active button and select someone who is and Admin with higher levels of Permissions than I have and click Login as this User Admin B. Now I have full Admin permissions and see the Roles link which I did not have access to as User A. Then of course I can create new Roles and even extend User A's Permissions. In theory I should not be able to login as Admin B. Is that handled through the Login for Users permission? (the documentation doesn't explain what every checkbox does)

Rick


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @outdoored

    Is that handled through the Login for Users permission?

    Yes, you can revoke this permission if you want.