I am setting up a board for my client to add users, but I don't want them to have the ability to view, edit or remove our user accounts.
Here's what I am doing, with the things that aren't right highlighted in bold.
1) Set up my user account, with full permissions.
2) Log in to my new account and use this to add my client with all permissions except Add/Edit/Delete users and group accounts.
3) Logout of my admin account.
4) Login as the client.
5) I can't view any options regarding users. Great.
- At this point I want to give my client the ability to add users, but not to view, edit or remove accounts.
6) Logout as the client.
7) Login as my admin account.
8) Enable "add user", and ONLY "add user" for the client's account.
- (The client should not be able to edit existing account, thus protecting my admin accounts.)
9) Logout of my admin account.
- OK, so let's login as the client and see what we get...
10) Login as the client.
11) I can add users, great.
12) Wait a second... I can access the list of existing users even though I should only have the ability to add users.
13) I can edit ALL users, even protected users... including my own admin account.
14) I can delete ALL users, even protected users... including my own admin account by simply editing their status from protected to active.
15) I can also add users with permissions that I myself don't have... this should never be possible.
- (What is stopping me adding an account with full permissions, effectively making myself an administrator)
The same flaws are present when I setup user groups to do the same thing. I remove all individual user permissions and add the ability to "add users" and ONLY "add users" to the clients user group. I can then view, edit and delete any user.
Either I am doing something wrong or you need to give permissions some serious attention.
Please could you confirm this.
Edit: disabled smilies... as 8) was giving man in shades lol
User Permission Confusion
Moderator: Thorsten
User Permission Confusion
When will these idiots learn that there's only three dots in an ellipsis.........
Re: User Permission Confusion
Hi,
I will check this issue!
bye
Thorsten
I will check this issue!
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: User Permission Confusion
Hi,
fixed with https://github.com/thorsten/phpMyFAQ/co ... 6af9217d56 for the 2.7.4 release.
bye
Thorsten
fixed with https://github.com/thorsten/phpMyFAQ/co ... 6af9217d56 for the 2.7.4 release.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist