After installing Xplanner succesfully in a new enviroment I see that there are some remaining questions related to security.

I've noticed that there are several views where regular users are able to do some critical actions (such as creating new admin users).

For instance, a viewer/editor user can turn himself into an admin user (WEB-INF/jsp/edit/editPerson.jsp) but the code shows

<xplanner:isUserAuthorized resourceType="system" permission="sysadmin.promote">
...
</xplanner:isUserAuthorized>

Am I doing something wrong? Is this really a bug or something that can be solved via config.

Thanks in advance.
Ivan.