We just updated Planning Center with a small but significant change to permissions to enhance security. Until today, any user who had permission to edit people could edit anything in that person's profile, including updating their email address, phone numbers and password. One of our users pointed out that this ability could be exploited. A person with Scheduler permissions could technically change the password or edit the email address of an Administrator which would then allow them to login as that Administrator and have access to things their Scheduler permission did now allow.

To fix this, we've made it so that users can only edit the email address, phone numbers and password for users with their same permission or lower. If a Scheduler or Editor  edits an Administrator's profile, the Change Password button is not visible, and any email addresses are grayed out and are uneditable. They can still change other information and assign Properties and Positions, but they can't edit anything associated with that person's login information. They can, however, edit the email, phone numbers or passwords of people with their same permission or lower, since logging in as that person wouldn't give them any extra abilities.

Luckily, this has not ever been an issue that we know of, but once we realized it could be, we wanted to prevent it from becoming one.