Regular Users Have Admin Button - Deny Permission does not work

[47ipsd]

Newbie here.  My Regular Users (default profile), show an Admin button which allows them to modify and delete Boards and Categories. To disallow this I used Admin - General permissions - Regular Users - Modify - Forum Administration - and clicked on "Deny."  After this, Regular Users do not show the Admin button but they can no longer see any Boards.  My installation is on a Linux host.  How do I fix this?
Thanks.

[Illori]

check each board and make sure the proper access has been granted.

[Kindred]

Yup. You somehow gave everyone access to the admin permissions

[47ipsd]

Each board uses the default profile for Regular Users and that profile does not grant permissions to modify or delete categories and boards.

Any ideas as to where in SMF are regular users enabled to see and use the Admin modify functions? Under Admin there is an icon for "Boards and Categories."

[Kindred]

permissions in SMF are ADDITIVE/INCLUSIVE -- any permission granted by any group that the user belongs to has access to that permission regardless of that permission setting in any other group.

the exception is the DENY permission...  deny permissions are EXCLUSIVE -- any group with a deny permission is refused access to that permission regardless of any group that gives that permission.

This being said --   if you have to use DENY for a standard group - then the chances are 100% that you have MISconfigured permissions elsewhere.

If, somehow, you managed to delete the 0-post-count  post-count based group (usually listed as Newbie), then you have broken the system completely. There is no fixing this until a 0-count post-count-group has been re-added.

[47ipsd]

There is a 0-post-count  post-count based group (Newbie).  Again, Each board uses the default profile for Regular Users and the default profile does not grant permissions to modify or delete categories and boards.

Only if I specify DENY does the Admin button disappear, however, Regular Users then cannot see the boards, so for now I specified ALLOW but Regular users can use that Admin button to modify or delete boards, which I DO NOT want.  Only the Administrator needs to have this permission.

My question is: Why is this Admin button appearing for a Regular User who has signed in, and how can I remove it?

Thanks for any suggestions.

[Arantor]

Being able to see the Admin button is nothing to do with the board access. It must be some *other* permission that you're also denying that's causing it.

Do you have access to phpMyAdmin or similar?

[47ipsd]

Yes, my CPanel has access to phpMyAdmin and other database apps.  What should I look for?

[Arantor]

Do all the tables in the database start with smf_ or something else?

[47ipsd]

Yes:


Database Ascending   Collation   Action
information_schema   utf8_general_ci   Check privileges Check privileges
lpreside_forum   utf8mb4_unicode_ci   Check privileges Check privileges
lpreside_smf423   utf8mb4_unicode_ci   Check privileges Check privileges
lpreside_smf752   utf8mb4_unicode_ci   Check privileges Check privileges
Total: 4   utf8mb4_unicode_ci   

[Arantor]

Those are databases, I meant the tables inside.

[47ipsd]

Code Select Expand

Expand/CollapseDatabase operationslpreside_smf423

NewNew
Expand/CollapseStructuresmfhw_admin_info_files
Expand/CollapseStructuresmfhw_approval_queue
Expand/CollapseStructuresmfhw_attachments
Expand/CollapseStructuresmfhw_background_tasks
Expand/CollapseStructuresmfhw_ban_groups
Expand/CollapseStructuresmfhw_ban_items
Expand/CollapseStructuresmfhw_boards
Expand/CollapseStructuresmfhw_board_permissions
Expand/CollapseStructuresmfhw_board_permissions_view
Expand/CollapseStructuresmfhw_calendar
Expand/CollapseStructuresmfhw_calendar_holidays
Expand/CollapseStructuresmfhw_categories
Expand/CollapseStructuresmfhw_custom_fields
Expand/CollapseStructuresmfhw_group_moderators
Expand/CollapseStructuresmfhw_log_actions
Expand/CollapseStructuresmfhw_log_activity
Expand/CollapseStructuresmfhw_log_banned
Expand/CollapseStructuresmfhw_log_boards
Expand/CollapseStructuresmfhw_log_comments
Expand/CollapseStructuresmfhw_log_digest
Expand/CollapseStructuresmfhw_log_errors
Expand/CollapseStructuresmfhw_log_floodcontrol
Expand/CollapseStructuresmfhw_log_group_requests
Expand/CollapseStructuresmfhw_log_mark_read
Expand/CollapseStructuresmfhw_log_member_notices
Expand/CollapseStructuresmfhw_log_notify
Expand/CollapseStructuresmfhw_log_online
Expand/CollapseStructuresmfhw_log_packages
Expand/CollapseStructuresmfhw_log_polls
Expand/CollapseStructuresmfhw_log_reported
Expand/CollapseStructuresmfhw_log_reported_comments
Expand/CollapseStructuresmfhw_log_scheduled_tasks
Expand/CollapseStructuresmfhw_log_search_messages
Expand/CollapseStructuresmfhw_log_search_results
Expand/CollapseStructuresmfhw_log_search_subjects
Expand/CollapseStructuresmfhw_log_search_topics
Expand/CollapseStructuresmfhw_log_spider_hits
Expand/CollapseStructuresmfhw_log_spider_stats
Expand/CollapseStructuresmfhw_log_subscribed
Expand/CollapseStructuresmfhw_log_topics
Expand/CollapseStructuresmfhw_mail_queue
Expand/CollapseStructuresmfhw_membergroups
Expand/CollapseStructuresmfhw_members
Expand/CollapseStructuresmfhw_member_logins
Expand/CollapseStructuresmfhw_mentions
Expand/CollapseStructuresmfhw_messages
Expand/CollapseStructuresmfhw_message_icons
Expand/CollapseStructuresmfhw_moderators
Expand/CollapseStructuresmfhw_moderator_groups
Expand/CollapseStructuresmfhw_package_servers

lpreside_smf752

Expand/CollapseStructuresmfpt_admin_info_files
Expand/CollapseStructuresmfpt_approval_queue
Expand/CollapseStructuresmfpt_attachments
Expand/CollapseStructuresmfpt_background_tasks
Expand/CollapseStructuresmfpt_ban_groups
Expand/CollapseStructuresmfpt_ban_items
Expand/CollapseStructuresmfpt_boards
Expand/CollapseStructuresmfpt_board_permissions
Expand/CollapseStructuresmfpt_board_permissions_view
Expand/CollapseStructuresmfpt_calendar
Expand/CollapseStructuresmfpt_calendar_holidays
Expand/CollapseStructuresmfpt_categories
Expand/CollapseStructuresmfpt_custom_fields
Expand/CollapseStructuresmfpt_group_moderators
Expand/CollapseStructuresmfpt_log_actions
Expand/CollapseStructuresmfpt_log_activity
Expand/CollapseStructuresmfpt_log_banned
Expand/CollapseStructuresmfpt_log_boards
Expand/CollapseStructuresmfpt_log_comments
Expand/CollapseStructuresmfpt_log_digest
Expand/CollapseStructuresmfpt_log_errors
Expand/CollapseStructuresmfpt_log_floodcontrol
Expand/CollapseStructuresmfpt_log_group_requests
Expand/CollapseStructuresmfpt_log_mark_read
Expand/CollapseStructuresmfpt_log_member_notices
Expand/CollapseStructuresmfpt_log_notify
Expand/CollapseStructuresmfpt_log_online
Expand/CollapseStructuresmfpt_log_packages
Expand/CollapseStructuresmfpt_log_polls
Expand/CollapseStructuresmfpt_log_reported
Expand/CollapseStructuresmfpt_log_reported_comments
Expand/CollapseStructuresmfpt_log_scheduled_tasks
Expand/CollapseStructuresmfpt_log_search_messages
Expand/CollapseStructuresmfpt_log_search_results
Expand/CollapseStructuresmfpt_log_search_subjects
Expand/CollapseStructuresmfpt_log_search_topics
Expand/CollapseStructuresmfpt_log_spider_hits
Expand/CollapseStructuresmfpt_log_spider_stats
Expand/CollapseStructuresmfpt_log_subscribed
Expand/CollapseStructuresmfpt_log_topics
Expand/CollapseStructuresmfpt_mail_queue
Expand/CollapseStructuresmfpt_membergroups
Expand/CollapseStructuresmfpt_members
Expand/CollapseStructuresmfpt_member_logins
Expand/CollapseStructuresmfpt_mentions
Expand/CollapseStructuresmfpt_messages
Expand/CollapseStructuresmfpt_message_icons
Expand/CollapseStructuresmfpt_moderators
Expand/CollapseStructuresmfpt_moderator_groups
Expand/CollapseStructuresmfpt_package_servers
Server: localhost:3306
Databases Databases
SQL SQL
Status Status
Export Export
Import Import
Settings Settings
Variables Variables
Charsets Charsets
Engines Engines
Plugins Plugins
Click on the bar to scroll to top of page
SQL Query Console Console
ascendingdescendingOrder:Debug SQLExecution orderTime takenOrder by:Group queries
Some error occurred while getting SQL debug info.
OptionsSet default
Always expand query messages
Show query history at start
Show current browsing query
 Execute queries on Enter and insert new line with Shift + Enter. To make this permanent, view settings.
Switch to dark theme
Databases
Database Ascending Collation Action
information_schema utf8_general_ci Check privileges Check privileges
lpreside_forum utf8mb4_unicode_ci Check privileges Check privileges
lpreside_smf423 utf8mb4_unicode_ci Check privileges Check privileges
lpreside_smf752 utf8mb4_unicode_ci Check privileges Check privileges
Total: 4 utf8mb4_unicode_ci

[Arantor]

Hrm, which one is your actual forum living in? You seem to have multiple complete databases there.

It could be any of lpreside_forum, lpreside_smf423, lpreside_smf752?

And they have different prefixes inside, so for me to get you the right query, we will have to figure this out. :-/

[47ipsd]

I'm pretty sure it's the 3rd one:

lpreside_smf752

The other smf one was supposed to go on a prior domain, which I am not using... and lpreside_forum is empty.

BTW, thank you for your looking at this.

[Arantor]

Any time

OK, so if it's smf752, the tables all have a prefix of smfpt_ by the looks of things.

So the next thing is to run the following query:

Code Select Expand

SELECT mem.id_member, mem.id_post_group, mg.min_posts FROM smfpt_members mem LEFT JOIN smfpt_membergroups mg ON (mem.id_post_group = mg.id_group) WHERE (mg.id_group IS NULL) OR (mg.min_posts < 0);

This is to put to bed one way or another that it's anything related to spurious post count groups as I still think this is somehow relevant before we dig into the rest of the permissions system.

What this does is finds anyone who has a post count group that isn't valid in the system (which would end up with them having some admin powers by accident)

[47ipsd]

 Showing rows 0 - 0 (1 total, Query took 0.0008 seconds.)
SELECT mem.id [nofollow]_member, mem.id [nofollow]_post_group, mg.min_posts FROM smfpt_members mem LEFT JOIN smfpt_membergroups mg ON (mem.id_post_group = mg.id [nofollow]_group) WHERE (mg.id_group IS NULL) OR (mg.min_posts < 0);
Profiling [Edit inline] [ Edit ] [ Explain SQL ] [ Create PHP code ] [ Refresh]
 Show all   |         Number of rows:
25
Filter rows:
Search this table
id_member   id_post_group   min_posts   
1   0   NULL

[Arantor]

OK so it looks like it's not related after all. Kind of expected but good to rule out.

So... what mods are in play? I can get the list of permissions that normally show the admin button (so we can go find out which groups somehow have this) but it's useful to know if there's any mods in play that might modify the admin panel somehow.

[47ipsd]

I installed 2.1 and have not applied any mods.

Note that here are my current General Permissions under Forum Administration for "Regular Members":

Administrate forum and database      
🚫
Manage boards and categories      
✅
Manage attachments and avatars      
—
Manage smileys and message icons      
—
Edit news      
🚫
Access the moderation center      
—

I checked "Allow" for "Manage Boards and Categories" because if I check "Deny" or "Disallow" the Admin button goes away but the users cannot see the Boards.

[Arantor]

OK so there's your problem.

Manage boards explicitly gives them the ability to go to admin (to manage the boards) and to explicitly see every board. This suggests that the permissions are somewhat messed up for boards - take out (disallow, not deny) manage boards, and go into each board one by one and 1) check the groups that should be able to see it, then 2) save it.

There is a glitch under some very specific cases where the view permissions for groups vs boards don't get upgraded correctly from 2.0 to 2.1, or on 2.1 in a fresh install if you don't go and re-save board permissions; after the first resave it should be consistently fine.

[47ipsd]

OK, will do. I'll check in tomorrow.  Thanks.