Description

The username fields while creating a user Role is same which should not be the case, the username should be made unique.

Proof of Concept

1. Login to Demo account at https://rdiffweb-demo.ikus-soft.com/login/
2. Enter the username and password as admin: admin123 respectively.
3. visit to https://rdiffweb-demo.ikus-soft.com/admin/users
4. Click on "Add user" button
5. Fill the form with your choice & use the same email every time to create more such users & also change the "User Role" each time you want till whatever you want.
6. You will notice that there is a major flaw in user's permission access control where in "username" are considered as a primary key.
7. Now add another user the same username but with capital letters in the combinations for same username, it will be addressed unique by the system & a new user Role with the same "username" word will be created.