We have been doing some testing on User Permissions on a 9.10.4 site (https://sandbox.biolegend.com/) and have discovered that a login that has both frontend and backend access may be creating a potential security issue. Therefore, we wanted to bring this to your attention.
The issue is as follows: *this is also walked through in the attached recording
(1) The login has frontend access.
(2) The login has also been set to "Allow backend login" and has been set to DEFAULT permissions (under Options). The group that the login belongs to has no set permissions (no rights to the backend)
(3) However, when we log in to the backend, we are seeing everything!
So, somehow it looks like it is using the authenticated frontend permissions and they are leaking over to the backend and the login is seeing way more than they should.
Please note that we cannot repro this with consistency. Sometimes it gives the correct blank screen, however, other times (as shown in the attached recording) we have full access to everything.