Re: Kudos to all involved
Although maybe no Kudos to the dev(s) who failed to confirm they were checking the authority of any access and to the tester(s) who failed to try and access it without the correct authority.
I'd be pushing 'yaqs' back into the testing team for a full going over - if they didn't bother with even the basic authorisation checking did they validate query strings and form fields for tampering?