HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Roles able to edit user can ban the Administrator

I'm not sure if this is intended or not, but any role that is allowed to edit a user can ban the Administrator and also change them from Administrator to another role, for example member.

I'm trying to set a role where a couple of people are able to ban and give roles to others if need be, but I'd prefer if they can't ban me or demote me.

Any way to prevent them being able to do that? (using Vanilla 3.3).

Thank you in advance.

Comments

  • Check the permissions in the Role section of the dashboard. Your admins are only allowed what is shown there.

    Only the super admin has permission for everything.

  • Thank you for your answer.

    I should be the super administrator? It's the admin account that got created when I installed Vanilla. I have access to everything in the role permission section.

    The problem is I need a role below it that is able to give roles to others and also ban if they need to. To be able to do that they need to have the 'user edit' enabled in role permissions, and that enables them to change role or ban the administrator too. They can't create an administrator or promote to administrator though, but for some odd reason they can demote or ban the existing administrator.

    I think this must be a bug?

  • KasparKaspar ✭✭✭
    edited June 2020

    Via phpadmin set YOUR role to "1" in the admin column.

    (This is at database level via your hosting login - not in the forums dashboard)


    ALWAYS make a backup before your do anything there - especially if you are a little or alot outside your knowledge-zone.

  • ElleElle New
    edited June 2020

    Thank you for the answer. I'm really lost at what I'm looking at 😅. I did a database backup though.

    Is the table GDN_User I should be looking in? I clicked on the admin column and get this up. It's in Swedish unfortunately, but perhaps you'll see if I'm on the right place.

    There's also this if I just click on GDN_User. The system is set to 2 and I'm set to 1. The rest is set to 0


  • After searching around I'm pretty sure the second picture is where this is set and it seems all correct there with my user as the only 1.

    The issue does not end with that they can edit the super Administrator, but if they're allowed to delete a user they can also delete the super Admin. I definitely don't think this is intended since they can't change someone to Admin or create an Admin

  • KasparKaspar ✭✭✭
    edited June 2020

    Sorry, forgot to add some crucial info.

    Yes, it is in GDN_User

    You are in the 'Struktur' tab - you need to be in the 'Bladdra' / Vis / Browse - tab - which your second picture also show you found.


    I have never tested it but I was convinced that an admin role set in forum dashboard could not touch an superadmin set in database.

    @R_J Heeelp! 😄

  • R_JR_J Admin

    The permission "user edit" means exactly that "some user edit". In general, you wouldn't grant that permission to moderators. If they should be able to ban others, they need to have either the "Garden.Moderation.Manage" or the "Moderation.Users.Ban" permission.

    But that wouldn't stop them from banning everybody, including you.

    Kaspar was on the right track, I guess: a super admin (a user with "1" in the field "Admin" og the table "GDN_User") can not be banned. And even which roles that user has doesn't matter.


    Roles can only be assigend with the permission "Garden.Users.Edit", but users can only be deleted with the permission "Garden.Users.Delete". But that's a dead end: if you have a malicious user with Users.Edit permission, he can change the email address of the super admin to his own mail adress and request a password change and can overtake the forum.


    May I ask a question? Why do you wan to grant such severe rights to a bunch of crackheads that cannot be trusted to act sane? ;-) The problem is the Users.Edit permission. Do your moderators really need to edit user accounts? Are role changes really so often that you need support from others for that?

  • Thanks for clarifying, I wonder about one sentence though:

    I guess: a super admin (a user with "1" in the field "Admin" og the table "GDN_User") can not be banned. And even which roles that user has doesn't matter.

    That's exactly the issue, it can be banned or removed too from someone who has 0 if they have those settings enabled. If it's not supposed to be able to be banned then it must be a bug going on.

    May I ask a question? Why do you wan to grant such severe rights to a bunch of crackheads that cannot be trusted to act sane? ;-) The problem is the Users.Edit permission. Do your moderators really need to edit user accounts? Are role changes really so often that you need support from others for that?

    I understand why you wonder :D I do trust these people, they've been admins on the old forum for years, long before me. And yes while we don't give certain roles very often it does happen. Two different communitys are involved you could say, but on one forum so it's not so easy for me to manage if they do a role change on the other. So they're sort of admins.

    I still got surprised they could change the super admin, or ban or even remove. I feel they shouldn't be able to simply.

  • Oh sorry RJ, I get what you're saying now

    And even which roles that user has doesn't matter.

    They could ban or put that user as member, but they're still 1 so it wouldn't have effect. Haven't tried it, but it makes sense.

    Thank you both :D It's all so new yet, but I'm learning.

Sign In or Register to comment.