Super Admin

Started by Bulakbol, August 04, 2008, 06:44:30 PM

Previous topic - Next topic

kanaka

But if the admin was in a different position from # 1? How should I change the mod?

YogiBear

That's the very point - if it were possible to make any admin besides admin ID1 the super admin then that other admin could hijack the forum. I'll have a wander back through the thread when I get a mo as this question has come up a few times.
SMF v2.1.3  Mods : Snow & Garland v1.4,  PHP  v.7.4.33

Arantor

I still say you shouldn't need this mod if you don't give out full admin powers in the first place... because if they have full admin powers they could just uninstall the mod anyway... so if you don't give the power out, they can't abuse it.

YogiBear

Quote from: Arantor on May 12, 2013, 06:12:41 PM
I still say you shouldn't need this mod if you don't give out full admin powers in the first place... because if they have full admin powers they could just uninstall the mod anyway... so if you don't give the power out, they can't abuse it.


I did use this in the days of RC3 and it was possible for the admin ID1 to hide it from other admins (I set up a test account).

However, do take care to install this mod after any others and uninstall it before uninstalling others. I took up about a page on the Aeva support thread with an uninstall problem (so as to update it) just because I had forgotten I'd installed Super Admin and set it hidden!
SMF v2.1.3  Mods : Snow & Garland v1.4,  PHP  v.7.4.33

Arantor

Huh, I didn't realise it also hid itself. But even so, it's still more than possible to confirm the mod is installed even if hidden and even if it is hidden it is still entirely possible to defeat it.

In fact, just after 10 minutes of studying the code, I think I know how any admin, not just user 1, could force it to be shown again in the package manager. In fact, the mod is actually weak on that point because it isn't actually obviously clear how you set it hidden in the first place.

(Admittedly, I'm a pro SMF user, not the average admin, so I know all about its foibles and I would be surprised if most people would know how to exploit the routes I do. But even so, it's possible - and if you don't trust your users, don't give them full admin power, simple as that.)

Mark S

I have had the need to take on a helper admin to administrate the active/inactive membership, which means they need to be able to delete accounts.  Now, with that permission, does that mean this member could delete ME as the only actual "admin" status?  If not, then I wouldn't need any "super" admin protection but if so, then sure, I could get back in through the host cpanel but, I don't even want the ability be deleted by another pseudo-admin with the delete member option to be available.

Could you help with explaining how this works?

If I can be deleted, then the super admin mod still can't be used since it's out of version update?

Thanks!

Arantor

They will only be able to delete you if they themselves are in the true admin group (group 1). If they are not in that group, just having a separate group with the manage members permission, they will not be able to delete you.

Better question: if you don't trust them not to delete your account, why did you promote them in the first place? Don't give out permissions to people you don't trust!

Mark S

Because I only trust anyone except my wife as far as I can throw them.  It's better to be safe than sorry, right?

Arantor

Exactly... and if you don't trust them, don't give them keys to your kingdom at all. If you don't trust them not to delete you, why do you trust them to delete other people?

The point stands as far as groups, if you didn't set the user up as a full admin in the first place, they can't delete you, but that doesn't mean they can't cause various damage to the site as a whole.

Better question: are you using this helper to delete spam? If so, there are much better methods (there are many, many discussions about preventing rather than cleaning up after spam)

Mark S

They aren't going to remove spam.  We don't have, nor ever had, any spam because I do know the better ways to handle that.  Spammers simply don't get past the registration.  Not spambots or any actual person who has tried to "buffalo" through the registration questions.

I asked if they 'could' delete an actual admin account because that isn't spelled out anywhere in the help explanation for that permission.  I don't care if the person was my own clone, I'd still want to know if they could or couldn't delete me.  Since I now know they can't, it's not an issue. 

Thank you, my question is answered.

Kosuki

I need to change the default super admin from user 1 to my user number. I have found the files to edit from the post on the first page, however, I am unable to find the lines of code I am told to select and edit. For example on load.php I was only able to find the first edit not the other ones... I d not want to have to uninstall this mod, however if there is no good solution, then I will uninstall it.

Mark S

use the "emulate" earlier version possibly?

Advertisement: