As the subject say ..
A Global Moderator can remove and edit posts created by a Admin.
This is a heavy bug I think :o
How?
a global mod has always been able to moderate everyone that includes admin and other moderators. even a board moderator can edit posts made by an admin.
Actually, I understand why it's an issue. It's the same like users with the right to edit account settings can't edit those of an admin. Therefore I think it would be better to create a permission for it. :)
i think there is a mod that does something like that already.
Superadmin mod?
Here a simple fix ... In Display.php
search for:
// Run BBC interpreter on the message.
$message['body'] = parse_bbc($message['body'], $message['smileys_enabled'], $message['id_msg']);
add after:
$can_modify = allowedTo('modify_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1);
$can_delete = allowedTo('delete_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1);
search for:
'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && (allowedTo('modify_any') || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))),
'can_remove' => allowedTo('delete_any') || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),
replace by:
'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && ($can_modify || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))),
'can_remove' => $can_delete || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),
Now the Global Mod can't modify or delete posts made by members in the Admin Group (id 1)..
the only problem then is the global mod is no longer global, it should be up to the admin if they want the mods to edit their posts or not. not up to the forum software. it has been like this for a while even in 1.1.1*
While I understand the point of the edit - it is not actually a BUG... it is working completely as intended.
Very difficult Kindred ..
if a Global mod have remove member - delete_any, the he can also drop the admin :o
yes, that is true.... again, not a bug - although I see the point of making the admin untouchable, I also see a point of "don't give that sort of access to people you don't trust"
Quote from: Kindred on July 27, 2011, 03:53:10 PM
I also see a point of "don't give that sort of access to people you don't trust"
That's also very difficult ... Normally anyone in a forum know the other really ;)
that is not always true, look at the team here at sm.org most of us did not know each other until we made the team, that does not mean that we are given full admin access just because we are on the team. we are only trusted to a point with certain permissions.
comments from developers on if this is a bug or not?
Quote from: feline on July 25, 2011, 04:09:42 PM
Here a simple fix ... In Display.php
search for:
// Run BBC interpreter on the message.
$message['body'] = parse_bbc($message['body'], $message['smileys_enabled'], $message['id_msg']);
add after:
$can_modify = allowedTo('modify_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1);
$can_delete = allowedTo('delete_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1);
search for:
'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && (allowedTo('modify_any') || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))),
'can_remove' => allowedTo('delete_any') || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),
replace by:
'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && ($can_modify || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))),
'can_remove' => $can_delete || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),
Now the Global Mod can't modify or delete posts made by members in the Admin Group (id 1)..
This only remove the buttons. If someone knew the direct link (not so difficult) its useless. I think some enhanced code must placed in Security.php.
Best regards
NetHunter
I agree with Kindred that it works as intended (but I'm the last arrived and I don't have a big forum) so my opinion doesn't have a big weight.
BTW, there are at least two mods that can provide such functionality (mine doesn't deal with bans):
http://custom.simplemachines.org/mods/index.php?mod=1306
http://custom.simplemachines.org/mods/index.php?mod=2933
I disagree with the OP, I would rather have the Global Moderator be able to edit all post, including the Admins. It makes perfect sense to me.
My definition of a Global Moderator is someone I trust enough with every single board, I can even trust them with the Admin position if they knew how. However to some people the Admin position is too much, some people may get confused with everything in the Admin Panel, so GM they are.
Say a post has outdated information and a Admin posted it. The Global Moderator should have the ability to update that information. IMHO Global Moderator is step down from Admin, so you should treat that group as such.
Maybe you are proposing a next step down? IMHO Global Moderator is perfect, it doesn't need to be touched.
I have posted a post as the admin user to do some testing but cannot seem to find an option to delete my own admin post. Can someone help please? :)
Nimda,
this is not a support topic.
nimda if you are still logged in with your admin account you should see the normal "remove" button next to the post.
Thanks emanuele,
I have found it :)
Duplicate post, too...
http://www.simplemachines.org/community/index.php?topic=480274.msg3361408#msg3361408
...which had to be removed from the FAQ topic.
Weird, or what?
I support the idea that it works as intended. But what about this different approach: we always say that "you shouldn't give these permissions to people you don't trust"; OK, so do we ever expect a trusted moderator remove an admin? That's a little bit paradox. :) Because if the global mod is never expected to delete an admin, then why he can?
Elmacik, it's not about removing an admin account.... it's about removing or editing admin POSTS
and setting a flag on a post to say "this is an admin post, only other admins can remove it" seems like a waste of processing.
In any case, even users who have the ability to manage membergroups can't remove an admin account without being an admin themselves.
I can see both sides of the argument, but I think I'm inclined to agree that global moderators should just be able to globally moderate - posts.
Quote from: Kindred on June 27, 2012, 01:49:13 PM
Elmacik, it's not about removing an admin account.... it's about removing or editing admin POSTS
and setting a flag on a post to say "this is an admin post, only other admins can remove it" seems like a waste of processing.
Yeah I know, some people also mentioned global mods removing admins. Either way, I agree that modfying posts permission should not exclude admin posts. And as Arantor stated, new behaviour is global mods can't remove admins unless the admin specially gives the permission to manage forum (which is actually making the mod an admin practically).
QuoteAnd as Arantor stated, new behaviour is global mods can't remove admins unless the admin specially gives the permission to manage forum (which is actually making the mod an admin practically).
Not quite. It's not actually admin_forum.
As of RC4, groups can be set to protected, which means one can only remove that group from another user if the person performing the action is either proper admin (group 1) or belongs to that group and also has manage-membergroups permission.
It also can't be assigned in a similar fashion.
Admins (group 1) do automatically have all the permissions including manage-membergroups. Plus, any membergroup can have the manage mamabergroups permission that admin may decide; will be able to manage members and the groups. That's why I said as you stated, SMF has changed the default behaviour, which previously allowed any member group that has the permission delete the admin accounts.
I was just confirming when it happened, but before RC4, I thought only group 1 users could add/remove group 1, it was more the case that you could create a group with all permissions that would not be so protected.
This is, ultimately, not a bug. It is as designed and I'd argue that the reverse is actually less obvious in terms of how it works. Especially if you want to have the situation of a moderator/admin posting a topic that needs to be updated regularly... this isn't something you can readily do particularly well outside of 'all or nothing'.
The problem with implementing such protected posts is that you then need to consider multiple levels of protection... what if you have a global moderator post, can that be edited by board moderators? etc. etc.