In my previous post, I asked how non-Admin members of the recovery group were supposed to start the recovery process without access to an Admin page. So far, it appears that the docs are lying (or the application is misbehaving).
Today, I tried to force the hand of 1Password (so to speak) by logging into my team as a non-admin member of the Recovery Group and pasting the URLs for various sensitive pages. In theory, a non-admin user who is a member of the Recovery group should have access to a page to start recoveries but have no access to information about other users or the team itself.
In practice, I find that 1Password does not present any UI to initiate recoveries but blithely displays other admin pages to the user when asked. There are no menus or buttons to access them, but pasting the URLs works, which allows this user to access, amongst other things, a list of my logged-in machines, a list of all team members, a list of pending invitations, etc. This even extends to administrative URLs like /admin/settings, which has been designated as the repository of billing and plan information at the end of the beta!
The pages come up with all the controls, buttons, and toggles that a bona-fide admin would see. The controls I tried failed to save any information (even though the UI itself works as expected), but all the information was readable enough… Some pages, like /admin/vaults did properly display the user's vaults (and not all vaults) but other admin pages have no business spitting out their contents to every Team user.
I am positive that AgileBits has the cryptography aspect well in hand, but have the Web App and the admin flow been tested at all? With such big issues affecting recovery and authentication, one wonders about the product as a whole…