Improper Privilege Management in Mailtrain-org/mailtrain

Valid
Reported on Jun 5th 2021

BUG

Lower level user can revoke access from a campaign for admin .

IMPACT

Admin will not be able to access perticular campaign .
This happen when lower level user added admin to a campaign and them removed him .

STEP TO REPRODUCE

1. From admin account goto http://localhost:3000/users and add a new userB with role None.
So, user B cant access any property by-default .\

2. from admin goto http://localhost:3000/campaigns and add a new campaign .
Now add userB to this campaign as master role .
So, userB has full access in this campaign .\

3. Now goto user B account and visit above campaign http://localhost:3000/campaigns/3/share .
Now here user B added admin as master role to this campaign .
Finally ,user B remove admin from this campaign share .\

4. Now goto admin account and see admin can't access above campaign anymore .\