Any user can go to admin and log in as other user
when a user has rights to edit the homepage and clicks on 'administration' in the breadcrumb or when the url of the admin is typed in any user can go to the admin section. all tools are accessible there, rights are only checked in the individual components. it is however possible to login as any other user!!! don't know what other admin-functionality is left unprotected.