Hi.
I have two usergroups for admins. One called Administrator and one called Admin.
Their is a few differences in permissions between them.
Like I have made it so Admins can't see some of the stuff Administrators can see.
I have made it so Admin's cant edit admin permissions.
But I have one slight problem their is nothing stopping them from putting them self into to the Administrator group. And then accessing the bits I don't want them too.
Is their anyway to stop them being able to join the Administrator group? but making it so they can still manage the other groups?
Disallow access to admin permissions, user management, and group promotions.
It would also be a good idea to disallow access to group management too as they could (to an extent), give themselves more power that way, but if you disable admin permissions, thats not a problem.
Group promotions are disabled as they could set themselves to a better group that way.
User Management tasks can be mainly done from modcp albeit limited and is probably the third most powerful permission (Admin P -> DB Backups -> User M -> Settings -> Templates -> Plugins in order of powerfulness).
If you really need them to be able to use the admincp version of editing users, I may consider to update my staff hierarchy permissions plugin so admins cant edit themselves or anyone higher than them. Nonetheless, there is no definite way to ensure they will not abuse the permission as they could (easily) create a new user with full admin capabilities and use that to promote themselves.
You should update your plugin to widen the admin permissions for admins promoting other members to admin and editing themselves and any other admin
Well the way I see it is, unless that pluging gets updated or MYBB them self adds something, your admins can chuck you off your site, although they wont having hosting access etc, will still cause a lot of pain.
No point them being admins if they can't access the admin P Just need a plugin that sets limits to who can edit what groups.
(2015-02-21, 02:13 AM)Ben C Wrote: [ -> ]You should update your plugin to widen the admin permissions for admins promoting other members to admin and editing themselves and any other admin
Not right now, but soon
(2015-02-21, 02:16 AM)๖ۣۜGohan Wrote: [ -> ]Well the way I see it is, unless that pluging gets updated or MYBB them self adds something, your admins can chuck you off your site, although they wont having hosting access etc, will still cause a lot of pain.
No point them being admins if they can't access the admin P Just need a plugin that sets limits to who can edit what groups.
Did you not read my post? Users with the ability to edit profiles in modcp can do a limited subset of profile editting as admins can that is a lot safer for you. I will update the plugin, but not today.
Also, make sure you are the only super admin in inc/config.php; that way, they can't take over, and if they try, you can ban them
(And there's another idea -- Use the value of the super_admin config field -- override all permissions set by my plugin....)
Did you read my post?
I need these guys to access the Admin P for section adding, adding people to groups, and other things. But I don't want them to be able to upgrade them self's!
If I take away the Admin Panel no point them being here.
Okay, here's suggestions / questions:
1. Why in the world do you need to let your admins change the group of other users?
2. Quick-Fix to above --- Use group promotions system instead or do it yourself.
3. What do you mean by taking away admin P; certaily user management isn't the only thing they can do in it.
4. Let them manage forums, user titles, word filter, smilies, user (not ip) banning (in Users & Groups), themes (if you're willing to pose a slight security risk), mass mail, maybe custom moderation tools and custom mycode; all the useful, safe stuff. Managing users and groups isn't the only thing in the admincp.
5. If you seriously distrust your admins that much, why did you promote them in the first place? As forum/web master, it is ONLY YOU who determines the permissions of members and staff; if you cannot trust them, don't promote them.
6. It is better to have too few admins then too many admins. Unless you have a super huge forum, you and maybe 1 other admin should be enough. Moderators can also carry out some administrative tasks such as banning and announcements.
Well, the good news is I found the hook and implemented the change.
The bad news is I'm not updating the plugin until I found the hook for quick edit as that is currently bugged (full edit works as expected and quick delete does too)