SMF Development > Feature Requests

Separate permissions for board management?

<< < (2/4) > >>

Kindred:
Hi emanuele,

I think I understand what he's trying to say regarding the boards--
If you grant someone the "manage boards" permission, they can see and modify all boards, regardless of whether the usergroup could normally see those boards.
Specifically -
I have groups -- admins, mods-1 and mods-2.
I have boards -- general, admins-only and mods1-Board
mods-1 is granted permission to view only general and mods1-Board
mods-2 is granted permission to view only general

If mods-2 is granted the permission to manage boards, they can then see all board, including admins-only and mods1-Board. They can also alter the view/permissions for those board, thus granting themselves the rights to read and post in those boards.

What the OP is asking is for the permissions to check
If a usergroup can not normally access a board in the general list, that same group should not be able to see or edit it in the manage boards list.

(do note: I would not necessarily view this as a severe security issue... since it won't allow hacking and only occurs in an odd sort of circumstance that doesn't apply to most forums)

emanuele:
Yep, that's what I was thinking...
Will check and see if it is possible to do something.

N. N.:
This has always been by design. "Manage boards" is considered an admin permission. Admin permissions are practically equivalent, they imply all rights to execute the respective actions. If you give it to a membergroup, you practically *have* given them admin permissions over all boards - which implies it overwrites other "lesser" permissions. They're no longer "mods", they have (some) admin rights: you've given them. Yes, they will manage all boards on the forum, that's what the permission allows.

Although, I'm not sure I like the way this is done. Even if this is an admin permission, and stays that way, when it's set for a group the admin should be at least warned that they have granted a permission over all boards, regardless whether the group was accessing them before been granted this or not. Better wording at the minimum, adding an extra warning about the behavior perhaps.

Kindred:
Norv,

Despite this being designed, I would actually view this as a flaw/bug in the design...
I don't think it is the major security issue that the OP presents it as, but there should be a way to revise the view/access  permissions of the manage boards list the same way that the messageindex is handled.

KIMBAL:
has anything come from this topic ? because we have the same issue, we gave our supermods the permission to make boards because sometimes we cant get online to do it for them so made life easier sorta thing, whilst i was doing routine checks I found that a supermod?? I do not know which had been in the boards looking they got nosey and decided to give themselves access to our Admin corner !!

like someone said in a recent post it should not be visable if its not visable on the main board!

Navigation

[0] Message Index

[#] Next page

[*] Previous page