Description

If a user is logged in, and an admin decided to delete his accountpermanently, the user is still able to perform his normal actions until his session gets expired.

If a logged in user with admin role is deleted permanently, he’s still able todeleteother adminspermanently, and if they are not logged in at that moment, they won’t be able to access their account in the future.

Proof of Concept

• Login as “admin” (Super-Admin)
• Create a user ( tmp_admin ) with admin role
• Login as “tmp_admin” in another browser
• Using the “admin” account, delete “tmp_admin” account permanently
• Go back the other browser where “tmp_admin” is logged in, and perform your normal actions, like creating a ticket, etc.
• Log out from “admin” account
• Using “tmp_admin” delete the “admin” account permanently
• Now, you can’t login as “admin”