0013121: update user account details give link administrator account link in email

ID	Project	Category	View Status	Date Submitted	Last Update
0013121	mantisbt	email	public	2011-07-05 06:19	2012-08-26 16:17

Reporter	safee	Assigned To	dregad
Priority	urgent	Severity	major	Reproducibility	always
Status	closed	Resolution	no change required
Product Version	1.2.5

Summary	0013121: update user account details give link administrator account link in email
Description	I have changed reporter rights as Developer and update the account. while checking the emails this content is displaying Your account has been updated by an administrator. A list of these changes is provided below. You can update your account details and preferences at any time by visiting the following URL: http://localhost/mantis/account_page.php
Steps To Reproduce	On the click of above link logged as administrator not as developer.. I again change rights of other reporter and then log off as administrator and click of new email link, it ask for login.which is right.. But it is not possible at the time of logged as administrator.
Tags	No tags attached.

atrol 2011-07-05 16:00 developer ~0029096	Does this mean that another user who is not an administrator is getting administrator rights? I don't think so. What is the expected behaviour?

safee 2011-07-06 00:09 reporter ~0029103	yes.. I just logged as administrator and update reporter user to developer and check his email.. There is link like I mention above, that link gives direct access of my account means administrator's account.that reporter gets all rights from my account till he is not log off. security is not maintend. If I log off after this update process and after that check email of that reporter its working right.. It is asks for login for reporter to check its updated details.

dregad 2011-07-06 07:23 developer ~0029108	I think this is expected behavior, as Mantis keeps your session active by means of a cookie. Since you did not log off as administrator after updating the user's profile, that session was still current when you clicked on the link. Please try to click on the e-mail link on a different PC or using another browser on the same PC. Or, as you have already indicated, just log off as administrator after making the changes.

dregad 2012-08-17 07:01 developer ~0032604	Resolving due to lack of feedback for over a year