When a FreePBX user have visibility on the Asterisk CLI module, he can get the FreePBX admin credential (AMPMGRUSER/AMPMGRPASS) by issuing a CORE SHOW GLOBALS command. Is it a bug ?
Another point : Some months ago, I wrote a small patch on a completely different subject
Should I do anything else to help resolving the case (still unreviewed)
No it is not a bug. It is a feature with Asterisk.
As for the #3636, what version of FreePBX are you running and where in FreePBX do you get the /admin/config.php?type=setup&display=devices&action=resetall ?
I have to admit that /admin/config.php?type=setup&display=devices&action=resetall is not called by FreePBX but directly from a provisioning script, to setup the AstDB after populating FreePBX users and devices.
I’m not sure that this function is called anymore by FreePBX, but as long as the code remains here, I suppose that fixing it is not a bad thing
About the FreePBX admin credentials granted by Asterisk CLI FreePBX module:
Maybe a message on the administrator page can warn that granting Asterisk CLI to another FreePBX user allow this user to get admin credentials ?