[4048]Admins get user # 1

[Ben K]

Hi, I have 2 groups - main admins and admins.
admins have been made by me & I tryed to find a way admins could get in to main admin group, but I didn't find any thing.
So I was just thinking about if admin could change a password of main admin.
I tryed and he can !

Could be a bug, could not be, but I would love if groups that can change profiles of other users, could not change there password unless that group has less rights.

[Sabre™]

Im not sure if disallowing admins to edit another admins details is even a standard option(Im always the only 'real' admin), but you could look at [THIS] mod.
It does what you are after, and more.

[Ben K]

Powered by SMF 2.0 RC2

[Arantor]

No user who doesn't have group 1 should be able to modify the password of a group 1 user.

So true admins should not be able to have their password edited by non admins. It's not tied to user id 1, but user group 1.

[Ben K]

My # 1 main group is users, but under group it has super admin.

[Arantor]

I don't understand.

Membergroup id 1, originally titled Administrator, is special. It cannot be added to users unless the user granting it holds group 1 amongst their groups. Cannot be removed similarly.

[Ben K]

I just tryed to change # 1 group back to Super Admins.
Then super moderator that can change user accounts, just changed it and logged in with it.

[Arantor]

Leave group 1 alone. It has special powers and implicitly every permission.

Only grant it to those you want able to install packages, do backups and generally mess with the raw configuration.

[Ben K]

Super moderators is group 2, they can change # 1 password any way =\

[Arantor]

They shouldn't be able to unless the permissions are messed up.

[Ben K]

Permission use to allow them to change other users profiles, I want super moderators to be able to change users profiles, but not admins profiles =\

[Arantor]

That's the point; they shouldn't be able to unless they have group 1 themselves.

[Ben K]

Well, they can, I have tryed it to do it my self.
Bug ? 

[Norv]

Super moderators is group 2, they can change # 1 password any way =\

I just made a quick test on RC2 public, fresh install, and global moderators can't change the password of proper admin accounts, they don't even see the password field for users in group 1.
Please tell: in what groups (all groups) is the user you try changing password to? In what group(s) is the user changing password? What mods do you have installed?

On another note, strangely, a global moderator can change fields like registration date and post count of users in group 1, but he/she cannot change custom fields, despite having them visible and editable. That behavior might be worth more investigation, IMHO.

[Ben K]

Edit other people's account settings - For group 2 is enabled.

Code Select Expand

1. Wysiwyg Quick Reply RC2 RC2  [ Uninstall ] [ List Files ] [ Delete ]
2. Hide SMF Version 1.0.5  [ Uninstall ] [ List Files ] [ Delete ]
3. Advanced Reputation System 1.8  [ Uninstall ] [ List Files ] [ Delete ]
4. Hide Tag 2.3.6  [ Uninstall ] [ List Files ] [ Delete ]
5. Ban Link in Post 1.1  [ Uninstall ] [ List Files ] [ Delete ]
6. Watermark.light 1.3  [ Uninstall ] [ List Files ] [ Delete ]

Forum was based on SMF 1.1.6, after slow transfered to SMF RC-2.

Member from group 2 can change password for user # 1 in group 1.

[Norv]

Confirmed, it happens on the latest svn version as well: a moderator with all member-related permissions, including "edit other people's account settings", can change the admin's passwords, as well as many other things on admin profiles.

Added to tracker. Thank you!

[emanuele]

resolved in tracker moving to fixed