Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Forums permissions nightmare : all users being granted admin access

edited September 2011 in Vanilla 2.0 - 2.8
Hello all, I just found out that all the users that sign up to my site are being provided admin access automatically. On my friend's head's up, I signed up using another id on my own forum and was scared to hell by the permissions i were having by default( as a newly registered user) .

1) I have searched all over the web, found no similar issues.
2) I had this site imported from old phpBB.
3) Users can do literally anything including deleting my(admin) account. I tried to close the forums for all registered users temporarily by disabling "Signin" under allow, but that didnt work either.

Somebody please help me. This is a worst nightmare.


  • Options
    What role is the majority of you users? Member. If so then they shouldn't be able.

    If for some reason the default role is not member, and or you are using a custom role you need to change the permissions for that role and rename it. Just make sure that you are saved under admin rights, first.

    When you do custom role it is easy to make a mistake, and I think the default options are not that great. Even if you didn't intend to create a custom role you may have done by accident.

    grep is your friend.

  • Options
    Check the users section of your forum and see what roles they have. Then check the permissions of that role.
    Install a clean vanilla 2.0.18 and compare the roles / permissions with your site.
    I hope you have a localhost set up on your local PC so you can do some changes locally.

    There was an error rendering this rich post.

  • Options
    I have myself under administrator, another 2 under moderators. Rest of them are all under Registered. I verified with the documentation here, applied the selected roles. I didn't create any custom roles, but i did import from phpBB.

    Should i rename the registered to member?
  • Options
    Just looked at firebug console. When saving something related to permissions, i get 500 error. Renaming, saving everything. But I can save my own permissions without error.
Sign In or Register to comment.