User Permission Confusion

Please report bugs here!

Moderator: Thorsten

Post Reply
spambanjo
Posts: 2
Joined: Fri Jan 20, 2012 11:31 am

User Permission Confusion

Post by spambanjo » Fri Jan 20, 2012 11:52 am

I am setting up a board for my client to add users, but I don't want them to have the ability to view, edit or remove our user accounts.

Here's what I am doing, with the things that aren't right highlighted in bold.

1) Set up my user account, with full permissions.
2) Log in to my new account and use this to add my client with all permissions except Add/Edit/Delete users and group accounts.
3) Logout of my admin account.
4) Login as the client.
5) I can't view any options regarding users. Great.

- At this point I want to give my client the ability to add users, but not to view, edit or remove accounts.

6) Logout as the client.
7) Login as my admin account.
8) Enable "add user", and ONLY "add user" for the client's account.
- (The client should not be able to edit existing account, thus protecting my admin accounts.)
9) Logout of my admin account.

- OK, so let's login as the client and see what we get...

10) Login as the client.
11) I can add users, great.
12) Wait a second... I can access the list of existing users even though I should only have the ability to add users.
13) I can edit ALL users, even protected users... including my own admin account.
14) I can delete ALL users, even protected users... including my own admin account by simply editing their status from protected to active.
15) I can also add users with permissions that I myself don't have... this should never be possible.
- (What is stopping me adding an account with full permissions, effectively making myself an administrator)

The same flaws are present when I setup user groups to do the same thing. I remove all individual user permissions and add the ability to "add users" and ONLY "add users" to the clients user group. I can then view, edit and delete any user.

Either I am doing something wrong or you need to give permissions some serious attention.

Please could you confirm this.

Edit: disabled smilies... as 8) was giving man in shades lol
When will these idiots learn that there's only three dots in an ellipsis.........

Thorsten
Posts: 15022
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: User Permission Confusion

Post by Thorsten » Fri Jan 20, 2012 12:30 pm

Hi,

I will check this issue!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Thorsten
Posts: 15022
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: User Permission Confusion

Post by Thorsten » Sun Jan 29, 2012 12:56 pm

Hi,

fixed with https://github.com/thorsten/phpMyFAQ/co ... 6af9217d56 for the 2.7.4 release.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Post Reply