Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

moderator rights

jackmaessenjackmaessen ✭✭✭
edited January 2014 in Vanilla 2.0 - 2.8

I noticed when a moderator, which can view the ip adress, clicks on the ip adress, he sees: "Permission Problem" page.
So i changed the rights for the moderator in image below, but they still can not click on the ip and look which member is assigned to this ip with the option to delete this member.

Sorry, i did translate some dutch words in the image

I also noticed that when i gave a moderator permission to delete a user, it is possible for him to delete also the admin!!!
That can't be true!



  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    What do you mean by permission problems , a 403 ?

    Check that you have RewriteUrl TRUE. And htaccess rewrite engine is on .

  • Options
    businessdadbusinessdad Stealth contributor MVP

    @jackmaessen said:
    I also noticed that when i gave a moderator permission to delete a user, it is possible for him to delete also the admin!!!
    That can't be true!

    That makes sense. "Delete a user" means "delete a user, any user", not "delete a user only if he is not an admin". Roles are not aware of each other, they are just a set of permissions. When an action takes place, the appropriate controller checks the permissions and decides what to do. If the check for delete a user is merely "can delete a user", then that is all that's needed.

  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    There should be an extra check for that, if someone other than admin wants to delete admin they must enter a password like on a facebook page.

  • Options

    perhaps moderators should be moderators and admins should be admins.

    You shouldn't give the moderators the ability to delete users. If you trust them to know what they are doing make them admins. And an admin should be smart enough to know not to delete an admin.

    moderators shouldn't have the privilege of deleting or adding users, they moderate, that is moderate discussions.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options
    jackmaessenjackmaessen ✭✭✭
    edited January 2014

    you have a point @peregrine when you say moderators should not get involved with deleting users.
    I noticed that when i gave 3 persons moderation permission and i was looking in the table of the permissions that can be set. And at the very bottom, i see "users" with 4 checkboxes. But if i checked these checkboxes, i saw that they still had no permission to delete users. So i am a little bit confused why in the moderation table for permissions these options are displayed; because it doesn't make sense whether you check them or not; they are not able to remove users, when they try that there appears the "Permissions Problem" page for them.
    @vrijvlinder: yes the page that appeared whas the page with: "Permission Problem".

    What i actually expected was some hierarchy in the roles; something like this:

    Admin is the capital and can do everything

    Below is per example General Moderator which has all permissions on all the users except the admin.

    Below iare the Moderators which have all permissions on all users except General Moderator and Admin and have no permission about the other Moderators (lets say there a 3 Moderators, they can not delete each other)

    Below is a Member with special rights, which has all permissions on the normal members but ofcourse not on Moderators, General Moderator and Admin.

    And the last layer of normal Members, they have no permission to do anything except posting and reading topics

  • Options

    Clicking on a user's IP address brings you to /user/browse?keywords=IP, which is the User controller and Browse method. The Browse method redirects to the Index method, which requires three permissions: Garden.Users.Add, Garden.Users.Edit, and Garden.Users.Delete, but your screenshot shows that those boxes are checked.

    Add Pages to Vanilla with the Basic Pages app

Sign In or Register to comment.