I have a forum setup for a World of Tanks clan. I've setup a group with limited admin ability to allow them to change the group membership of registering users so that we can have a "Public" area, a "Clan Member" area and then an "Officer" area.
One of my jr admins found that he can change his group, or the group of any other registered user to the Administrator group. Normally in most systems you're not allowed to assign groups above your current level (can't self promote). I've looked around and the only thing I find to combat this is to not let them have access to the user editor at all. If I strip all access BUT Edit User they can still promote beyond their permission levels.
I've searched these forums and other locations and found a thread here dating back to 2011 with a similar issue, but no resolution was ever noted in the thread... Is this a bug? An oversight in the group tracking code? What can be done to mitigate this as I don't want them having full access and control to the Forums.
AdminCP > Users and Groups > Admin Permissions > Edit the user > Set permissions >
You should also set the default admin permissions while you're in there
AdminCP --> Users & Groups --> Admin Permissions --> Default Permissions
Personally I make everything "No" (if it isn't already) and change it on a user-to-user basis, depending on their needs and skill level.
I think that is not what he means Yaldaram. It is a bug I think - that if an user has access to change the usergroup then they can promote themself to any level. I know the dev site mentioned it for supermoderator.
Doing what I said should fix that issue.
Its not a bug, its how it works. Because if you grant them access to change Usergroup levels then they can have access to it. However yes it would be good if we've another option like "Allow to change his own group" etc. But it wouldn't be class as bug.
Doing that may work around the issue at least, but I don't feel it's a proper solution, or an answer on why it can be done in the first place. What's the point of having a Group Permission if I'm going to have to go user by user and 'enforce' it?
(2012-06-24, 06:06 AM)Yaldaram Wrote: [ -> ]Its not a bug, its how it works. Because if you grant them access to change Usergroup levels then they can have access to it. However yes it would be good if we've another option like "Allow to change his own group" etc. But it wouldn't be class as bug.
So in your mind it's logical for a user to be able to promote himself or others to have access above what the SuperAdmin has already provided?
This is similar to a Network Adminstrator being able to promote themselves or another user to Full Domain Admin. This is not a good thing in any way/shape/form.
(2012-06-24, 06:06 AM)Yaldaram Wrote: [ -> ]Its not a bug, its how it works. Because if you grant them access to change Usergroup levels then they can have access to it. However yes it would be good if we've another option like "Allow to change his own group" etc. But it wouldn't be class as bug.
I think it is part of/associated with THIS bug >>
http://dev.mybb.com/issues/1480
Not having a go at you Yaldaram and Ryan, or trying to argue, but this is an issue and I agree with the OP - by default a user should not be able to promote to a higher level than their own.
I see that the workaround works in this users case though.
So wait... this is a known issue and has been pending for a year? o_O
I suppose it is a bug of sorts, but really depends on how you use your forums and groups, and why you'd deem it necessary for a super moderator to have access to change usergroups.
Looks like it's in the tracker though, so it should be addressed at some point, just doesn't seem to be very important in the eyes of the developers as it keeps getting pushed back...