Multi-step process with no access control on one step.md

1. Log with admin credentials;
2. Upgrade or downgrade any user;

3. Verify the request and notice that you need to confirm;

4. Send the request from step 3 to repeater;
5. Log with wiener and copy the session cookie;
6. Go to repeater and change the session cookie copied from step 5;
7. Upgrade de wiener user to admin;