Tags: security, bug, access-control
Quality Rating: ⭐ 9/10

Reporter: xiaoan

Description

There is a critical security vulnerability in the organization member management system. Currently, any administrator can remove or demote other administrators (including the super admin/creator) to regular users. This creates a serious risk of organization ownership takeover.

Problem Scenarios

Expected Behavior

The super administrator (the user who created the organization) should have protected status:

1. Cannot be removed by any other administrator
2. Cannot be demoted to regular user by any other administrator
3. Only the super admin themselves can voluntarily step down or transfer ownership

Suggested Solutions

Option 1: Fixed Super Admin Role

Role hierarchy:
1. Super Admin (Creator) → Protected, cannot be removed or demoted
2. Admin → Can add/remove regular members
3. Member → No management permissions

Option 2: Permission Layering

- Only Super Admin can: Remove/demote other administrators
- Admin can only: Add regular members

Option 3: Additional Protection

- Require confirmation when removing/demoting admins
- Super admin operations require verification code
- Operation audit logs

Screenshots

Additional Context

This issue was discovered when testing the member management feature. The current implementation does not distinguish between super admin and regular admin privileges, which could lead to serious security incidents in production environments.