There is an improper access control issue which makes it possible for admins to self ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.
In the private window, access the application by going to http://localhost:3000/users/sign_in
and login with credentials of a normal user. Go to http://localhost:3000/allies
and search for the admin’s email address. Now, press on “Add to allies” for the admin profile. In the normal window login as admin and accept the ally request. Now in the private window, as the normal user, go to Ally > Admin profile and then click report > add some reason and submit it. Go back to the normal window as admin, go to http://localhost:3000/admin_dashboard
and click “Ban User” over Admin User. We see that the admin account gets deactivated from the account and can’t be recovered.
Update to version v7.32.1 or later