2011-03-10, 12:07 AM
Hello,
I came across something that I don't know if it's just a security oversight or by design. Basically, on my forums I have a group that I want to give Admin CP access to, but only for certain functions. I use the Admin Permissions to restrict them from doing things I don't want them doing.
Here's the problem. I want them to be able to manage users. This, unfortunately opens a security hole as the way MyBB is currently set up, by giving the user the Admin Permission to manage users, they can then upgrade their account or another account to the Administrator usergroup, bypassing the purpose of the Admin Permissions. I was wondering if this was by design or not and if in future MyBB versions maybe this will be taken care of, by maybe a setting in Admin Permissions such as "Allow promotion of users to Administrator Usergroup" or something like that?
The way things are now the users can just bypass the Admin Permissions if they have the Manage Users permission.
Any simple fix for this?
I came across something that I don't know if it's just a security oversight or by design. Basically, on my forums I have a group that I want to give Admin CP access to, but only for certain functions. I use the Admin Permissions to restrict them from doing things I don't want them doing.
Here's the problem. I want them to be able to manage users. This, unfortunately opens a security hole as the way MyBB is currently set up, by giving the user the Admin Permission to manage users, they can then upgrade their account or another account to the Administrator usergroup, bypassing the purpose of the Admin Permissions. I was wondering if this was by design or not and if in future MyBB versions maybe this will be taken care of, by maybe a setting in Admin Permissions such as "Allow promotion of users to Administrator Usergroup" or something like that?
The way things are now the users can just bypass the Admin Permissions if they have the Manage Users permission.
Any simple fix for this?
