MyBB Community Forums

Full Version: Reset user in administrator group permission?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I don't know how it happened. I made a new category that only group Administrators can access. I add the *only* user with Administrator access to it as its moderator. When I removed moderator status for that user for that new category.... it seem to stripped that user away from Administrator group??! Huh Undecided

I can't login as that user in ACP. However, I can still log into the forum... when I did, I don't see "Mod CP" on top anymore. I only see "User CP". Which, leads me to believe that's what happened - when I delete category mod, it purged user from Administrator group. Is this possible? Or a bug?

How can I put that user back into Administrator group? I have SSH/root access to server. Thanks for any helps!
Is this your account or someone else's?
This is my account. My forum.
I fixed it. Reassigned user back into the group through mybb_users table.

I've confirmed it did stripe my user account back down to gid 2 - registered. Not sure how it happened... I'll spawn a new forum up and see if I can reproduce this problem. Hope it's not a bug and just me fat-fingered something.

Thanks.

*EDIT*
INCREDIBLE! I was able to reproduce on my current forum. Will spawn a new forum to test.
Ok, I was able to reproduce the problem on a test forum.

Basically I have another group (HiddenAdmin) mirrored the original Administrator group permissions and have it assigned ACP view. I disabled Administrator group ACP view per this article:

Quote:Use another account as your admin account

If someone is trying to hack your forum, they’ll automatically target the admin account, to try and get ACP access. A hacker will know that the admin user will have a coloured username and show on the forum team page, and it’s easy to stop this. First, register a new account. Then, create a new usergroup, and give it ACP access, give the username the same style as normal registered members, and put the new user into that group; this will be the account you use to administrate your forum. Now, remove the ACP access from the standard administrator usergroup. You can now still use your usual account to post, and it will look like you are an admin, but you won’t have any ACP access, so any hacker that hacks your account will see that it was a waste of time. Plus, they could never find the user that does have ACP access, as that member would have a username in the style of a normal user.

When I created a new category and permission-ed only "Administrator" & my "HiddenAdmin" groups, assign my user (falls under HiddenAdmin group, but not Administrator) as moderator of this newly created category, remove the user category mod, it literally dropped this user back down to gid #2 (Registered) and it is not assigned to group HiddenAdmin anymore.

Is this considered a bug or a "feature"? Let me know and I will report it. Thanks.