HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Permissons

I want to have moderators/admins of the forum be able to delete users but I don't want them to be able to delete the main root user(The user that is created when the forum is first installed). Is this possible?

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    You need to find trusted admins and mods. I believe they can't delete the superadmin but I could be wrong..

  • Thank You R_J

  • where do i put that code?

  • @R_J said:
    I fully agree that your admins and moderators shouldn't be admins and mods if you do not trust them.

    But nevertheless you can restrict who can be deleted. An easy solution will not display a nice message for this, but good admins and mods shouldn't even try ;)

    This will prevent all admins from being deleted:

        public function userController_beforeUserDelete_handler($sender, $args) {
            $roles = RoleModel::getAllDefaultRoles();
            foreach ($roles[RoleModel::TYPE_ADMINISTRATOR] as $adminRole) {
                if (array_key_exists($adminRole, $args['UserRoleData'])) {
                    $args['CanDelete'] = false;
                }
            }
        }
    

    And this will prevent that the super admin is deleted:

        public function userController_beforeUserDelete_handler($sender, $args) {
            if ($args['TargetUser']->Admin > 0) {
                $args['CanDelete'] = false;
            }
        }
    

    Where do I put that

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Nice R_J, but what about an admin or mod change roles on an admin so it becomes member or guest, that is the same as deletion.

    Maybe the rule should include not being able to edit the admin profiles at all much less delete the person. Admins can do everything , but they should not be able to edit other admin's profiles. Or at least send a notification to the edited admin that his or her profile was edited.

    It would be useful to only allow the superadmin to edit profile and role change or delete other admins but them not be able to do it to the superadmin so you don't lose access to the forum because they changed your name , role, or password as well as email.

    I was burglarized a few days ago and it feels quite awful, a complete violation. It feels the same when someone hijacks your forum and shut you out.

    I am surprised there is no plugin called SafeAdmin …..

  • R_JR_J Ex-Fanboy Munich Admin

    @Rockislife you need a custom plugin for that.
    Just copy any simple plugin (one that consists only of one file) and change the name of the plugin anywhere in the file name and in the copied code to your plugins name.
    Then delete eveything between the first "{" and the last "}" and put the code above between those brackets. After that you only have to enable your plugin from the dashboard

    @vrijvlinder you are completely right about admins being able to change user roles and then delete "former" admins without problems. But at least that wouldn't work for the super admin if he uses the snippet that checks the Admin column and not the users role.

    I guess there is no such plugin like a SafeAdmin because that must have be done by backups and trustworthy co-admins


  • hgtonighthgtonight ∞ · New Moderator

    @vrijvlinder said:
    I am surprised there is no plugin called SafeAdmin …..

    I have an addon called role protect: https://vanillaforums.org/addon/roleprotect-plugin

    That lets you give admin without allowing them to add/remove specific roles.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    BleistivtR_Jwhu606
Sign In or Register to comment.