Admin should authorize or decline internal user's requests. I don't see any page for this function under admin login.

in view details page of Admin, merchant accounts aren't being displayed.

Hash, when password is being stored, and also ensure password comparison also uses the hash

External User needs to be notified via email when critical transactions occur and also at the time of account creation.

logged in external user.
each account type being set a hyperlink but i click it and redirect to the login page.

Should be getToAccountId() instead of getFromAccountId()

All the IFs inside this if block is unnecessary. Remove them and just throw one error.

Checking and Saving non-critical transactions requested by the consumer is not displayed under pending transactions for tier 1 employee. They only appear under tier 2 login.

I can only see credit transaction requests under tier 1 login.

not done yet

From requirements doc: "Prevent malicious login controls"

We could limit login attempts, but then what do we do after attempts are exceeded? Lock account? how will we unlock?

I think request manager (tier 1) should be same as create account (tier 2). The only difference is that tier 1 needs tier 2's approval to finish the task.
When tier 1 submit a task such as creating a transaction or an account, they should be sent to tier 2 for approval. Currently nothing happens when I try to create either of them.

Im aware that theres some redundant code in front end... I'll try to clean it up if i have time... i know which page calls which function really well so i think its best that i do this myself...

When /users is requested it returns plain text password.

Expoliting Issue#7 user can update type field to some invalid value. If that happens this user can view the list of all users.

WHen I tried to transfer funds between existing account, a request was sent to tier2, and upon the approval the balance got updated. Need to remove authorization for merchant

For non-critical transactions, after tier 2 approves the transaction it should then be sent to tier 1 for final approval. Currently once tier 2 approves it, it will update the balance in consumer's account without tier 1 approval.

Based on the requirements: Tier 1 can view, create and authorize non-critical transactions upon
having authorization from the external users and tier 2 employee

Is that Only tier1 and tie2 can update the external user type between consumer and merchant.
Is it, UI seems like with some problem.

• updateAccount function should log which user changed which account with amount before and after the change.

all data sent should be encrypted.

For Tier2, not only can delete the whole user but also Delete one of the user's account.
Api is ready there.
/accounts/{accountId}

• Admin -> Can delete -> tier1,tier2
• Tier1 -> Cannot delete anything
• Tier2 -> Can delete -> individual/merchant
• individual/merchant -> Cannot delete anything

Front End and Backend

A User should be able to see transactions from only user with lower rank from his.

Potential security issue: Privacy

Admin should have permission to see all transactions.

Please fix the typos like some page with the wrong title.

For internal user when they are creating the account for external user, in the creating page could you add a list to show all the external user so we don't need to change page and copy-paste the userID.

When a credit account is created, in addition to the account number, we have to generate a Credit card number and CVV.

To prevent Spam and Bots

External User needs to be notified via email when critical transactions occur and also at the time of account creation.

For everytime we call the api, if is valid please redirect to the main page or has some system log pop out to let user know what going on.
If invalid, also pop the error out to let user know.

@prashanth-murali In create user and create account, everytime i click create, it popped out "request receive, email sent" LOL

I just tried to create an internal user by admin. When I hit submit, a box pops up saying: "Request sent. Check your Email." and if I hit "OK" nothing changes and it stays in the page with all the info I typed in the fields. After I hit "Submit or OK", it should clear all fields with a confirmation number/message that the user has been created.

I did not receive any email (I put my asu email), and also the user I tried to create is not listed there. I tried to log out/ refresh the page, but still can't see the new user.

"Internal Transactions Employee" not working for tier 1
It works for Tier 2

After 10 minutes of inactivity, the user should be logged out automaticaly.

When I click on Edit users under tier 2 employee login, no user is displayed in dropdown menu. I can't see any user.

Note: Tier 2 employee should be able to view, create, modify, and delete external users’ accounts
and view and modify internal users’ accounts

Bugs:

1. Every user show be able to update their own profile.

Security issues:

1. No one should be able to update the ID of any user
2. When updating user type, the value should be valid.
3. A user can not update his/her own user type field

Edit Users ---> Should give a list of existing users that can be edited.

Tier 2 employee:
can view, create, modify, and delete external users’ accounts
can view and modify internal users’ accounts