[2.0] Global Mod can modify and remove Admin Posts

feline · July 25, 2011, 03:13:09 PM

As the subject say ..
A Global Moderator can remove and edit posts created by a Admin.
This is a heavy bug I think

emanuele · July 25, 2011, 03:16:42 PM

How?

Illori · July 25, 2011, 03:33:39 PM

a global mod has always been able to moderate everyone that includes admin and other moderators. even a board moderator can edit posts made by an admin.

Robert. · July 25, 2011, 03:37:05 PM

Actually, I understand why it's an issue. It's the same like users with the right to edit account settings can't edit those of an admin. Therefore I think it would be better to create a permission for it.

Illori · July 25, 2011, 03:38:59 PM

i think there is a mod that does something like that already.

karlbenson · July 25, 2011, 03:39:42 PM

Superadmin mod?

feline · July 25, 2011, 04:09:42 PM

Here a simple fix ... In Display.php
search for:

Code Select


	// Run BBC interpreter on the message.
	$message['body'] = parse_bbc($message['body'], $message['smileys_enabled'], $message['id_msg']);

add after:

Code Select


	$can_modify = allowedTo('modify_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1);
	$can_delete = allowedTo('delete_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1);

search for:

Code Select


		'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && (allowedTo('modify_any') || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))),
		'can_remove' => allowedTo('delete_any') || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),

replace by:

Code Select


		'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && ($can_modify || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))),
		'can_remove' => $can_delete || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),

Now the Global Mod can't modify or delete posts made by members in the Admin Group (id 1)..

Illori · July 25, 2011, 04:12:27 PM

the only problem then is the global mod is no longer global, it should be up to the admin if they want the mods to edit their posts or not. not up to the forum software. it has been like this for a while even in 1.1.1*

Kindred · July 27, 2011, 11:35:22 AM

While I understand the point of the edit - it is not actually a BUG... it is working completely as intended.

feline · July 27, 2011, 03:41:19 PM

Very difficult Kindred ..
if a Global mod have remove member - delete_any, the he can also drop the admin

Kindred · July 27, 2011, 03:53:10 PM

yes, that is true.... again, not a bug - although I see the point of making the admin untouchable, I also see a point of "don't give that sort of access to people you don't trust"

feline · July 28, 2011, 06:39:28 AM

Quote from: Kindred on July 27, 2011, 03:53:10 PM
I also see a point of "don't give that sort of access to people you don't trust"

That's also very difficult ... Normally anyone in a forum know the other really

Illori · July 28, 2011, 06:41:28 AM

that is not always true, look at the team here at sm.org most of us did not know each other until we made the team, that does not mean that we are given full admin access just because we are on the team. we are only trusted to a point with certain permissions.

Illori · November 18, 2011, 09:53:18 AM

comments from developers on if this is a bug or not?

NetFlag · February 28, 2012, 11:04:37 AM

Quote from: feline on July 25, 2011, 04:09:42 PM
Here a simple fix ... In Display.php
search for:
Code Select Expand
// Run BBC interpreter on the message. $message['body'] = parse_bbc($message['body'], $message['smileys_enabled'], $message['id_msg']);
add after:
Code Select Expand
$can_modify = allowedTo('modify_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1); $can_delete = allowedTo('delete_any') && ($user_info['is_admin'] || $message['id_member']['group_id'] != 1);

search for:
Code Select Expand
'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && (allowedTo('modify_any') || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))), 'can_remove' => allowedTo('delete_any') || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),

replace by:
Code Select Expand
'can_modify' => (!$context['is_locked'] || allowedTo('moderate_board')) && ($can_modify || (allowedTo('modify_replies') && $context['user']['started']) || (allowedTo('modify_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || !$message['approved'] || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time()))), 'can_remove' => $can_delete || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['id_member'] == $user_info['id'] && (empty($modSettings['edit_disable_time']) || $message['poster_time'] + $modSettings['edit_disable_time'] * 60 > time())),

Now the Global Mod can't modify or delete posts made by members in the Admin Group (id 1)..

This only remove the buttons. If someone knew the direct link (not so difficult) its useless. I think some enhanced code must placed in Security.php.

Best regards
NetHunter

emanuele · February 28, 2012, 11:34:20 AM

I agree with Kindred that it works as intended (but I'm the last arrived and I don't have a big forum) so my opinion doesn't have a big weight.

BTW, there are at least two mods that can provide such functionality (mine doesn't deal with bans):
http://custom.simplemachines.org/mods/index.php?mod=1306
http://custom.simplemachines.org/mods/index.php?mod=2933

nend · April 24, 2012, 05:53:13 PM

I disagree with the OP, I would rather have the Global Moderator be able to edit all post, including the Admins. It makes perfect sense to me.

My definition of a Global Moderator is someone I trust enough with every single board, I can even trust them with the Admin position if they knew how. However to some people the Admin position is too much, some people may get confused with everything in the Admin Panel, so GM they are.

Say a post has outdated information and a Admin posted it. The Global Moderator should have the ability to update that information. IMHO Global Moderator is step down from Admin, so you should treat that group as such.

Maybe you are proposing a next step down? IMHO Global Moderator is perfect, it doesn't need to be touched.

nimda · June 27, 2012, 12:15:16 PM

I have posted a post as the admin user to do some testing but cannot seem to find an option to delete my own admin post. Can someone help please?

Kindred · June 27, 2012, 12:16:44 PM

Nimda,
this is not a support topic.

emanuele · June 27, 2012, 12:18:21 PM

nimda if you are still logged in with your admin account you should see the normal "remove" button next to the post.

nimda · June 27, 2012, 01:02:04 PM

Thanks emanuele,
I have found it

kat · June 27, 2012, 01:25:02 PM

Duplicate post, too...

http://www.simplemachines.org/community/index.php?topic=480274.msg3361408#msg3361408

...which had to be removed from the FAQ topic.

Weird, or what?

Elmacik · June 27, 2012, 01:38:09 PM

I support the idea that it works as intended. But what about this different approach: we always say that "you shouldn't give these permissions to people you don't trust"; OK, so do we ever expect a trusted moderator remove an admin? That's a little bit paradox.

Because if the global mod is never expected to delete an admin, then why he can?

Kindred · June 27, 2012, 01:49:13 PM

Elmacik, it's not about removing an admin account.... it's about removing or editing admin POSTS

and setting a flag on a post to say "this is an admin post, only other admins can remove it" seems like a waste of processing.

Arantor · June 27, 2012, 02:11:48 PM

In any case, even users who have the ability to manage membergroups can't remove an admin account without being an admin themselves.

I can see both sides of the argument, but I think I'm inclined to agree that global moderators should just be able to globally moderate - posts.

Elmacik · June 28, 2012, 02:36:47 AM

Quote from: Kindred on June 27, 2012, 01:49:13 PM
Elmacik, it's not about removing an admin account.... it's about removing or editing admin POSTS

and setting a flag on a post to say "this is an admin post, only other admins can remove it" seems like a waste of processing.

Yeah I know, some people also mentioned global mods removing admins. Either way, I agree that modfying posts permission should not exclude admin posts. And as Arantor stated, new behaviour is global mods can't remove admins unless the admin specially gives the permission to manage forum (which is actually making the mod an admin practically).

Arantor · June 28, 2012, 05:34:03 AM

QuoteAnd as Arantor stated, new behaviour is global mods can't remove admins unless the admin specially gives the permission to manage forum (which is actually making the mod an admin practically).

Not quite. It's not actually admin_forum.

As of RC4, groups can be set to protected, which means one can only remove that group from another user if the person performing the action is either proper admin (group 1) or belongs to that group and also has manage-membergroups permission.

It also can't be assigned in a similar fashion.

Elmacik · June 28, 2012, 08:42:59 AM

Admins (group 1) do automatically have all the permissions including manage-membergroups. Plus, any membergroup can have the manage mamabergroups permission that admin may decide; will be able to manage members and the groups. That's why I said as you stated, SMF has changed the default behaviour, which previously allowed any member group that has the permission delete the admin accounts.

Arantor · June 28, 2012, 02:04:06 PM

I was just confirming when it happened, but before RC4, I thought only group 1 users could add/remove group 1, it was more the case that you could create a group with all permissions that would not be so protected.

Arantor · December 21, 2013, 02:08:02 PM

This is, ultimately, not a bug. It is as designed and I'd argue that the reverse is actually less obvious in terms of how it works. Especially if you want to have the situation of a moderator/admin posting a topic that needs to be updated regularly... this isn't something you can readily do particularly well outside of 'all or nothing'.

The problem with implementing such protected posts is that you then need to consider multiple levels of protection... what if you have a global moderator post, can that be edited by board moderators? etc. etc.

News:

[2.0] Global Mod can modify and remove Admin Posts

kat