Description and Impact

Principal can add teachers only before the session starts but can remove teachers even after the session started .

This can be leveraged by the Principal because it gives him more control than necessary in terms of the distribution of the school's bugdet between the teachers .

This can be leveraged to achieve 2 different outcomes ..

1. Principal can come up with excuses to remove a teacher ( or more ) just before executing LevelOne :: graduateAndUpgrade so the Principal can punish a teacher that does not have a good relation with the him or to just help certain teachers make more money than they deserve .

2. If the Principal add himself as a teacher too ( using another issue existent within LevelOne ), he can come up with excuses to remove a teacher ( or more ) just before executing LevelOne :: graduateAndUpgrade so the Principal can be eligible to a % too from the dedicated 35% for the teachers .

Recommended mitigation

Add the notYetInSession modifier to LevelOne :: removeTeacher .

Or if it is intended for teachers to be removed anytime, implement a system to verify if a teacher misbehave or not during the session so in that case the Principal to can remove only malicious teachers .

PoC

There is not a PoC . The issue can be understood easily .