Loading...
 
Skip to main content

Only let the admin change the admin details

Status
Closed
Subject
Only let the admin change the admin details
Version
2.x
Category
  • Feature request
  • Patch
Feature
User Administration (Registration, Login & Banning)
Submitted by
Geoff Brickell
Lastmod by
Geoff Brickell
Rating
(0)
Description

There is a very common use case where a specific Group should be given User admin permission, ie tiki_p_admin_users, so that the setting up of new users can be delegated.

However this permission allows the user with these added permissions to edit the admin details and therefore be in a position to assign new users and themselves to the Admins Group - which has 'security' (in the broadest sense) implications.

Changes that avoid this are needed so that the admin details can only be changed by the admin.

FIXED

Solution

A very simple solution to this is to edit the tiki-adminusers.tpl to add another 'if' check.

{if $usersuser.user ne 'admin' || $user eq 'admin'} can be used either around the <tr> element of the user table, to suppress the whole line for the 'admin user' from showing to anyone other than the admin or around the <td> element for the first column to suppress the various edit tools from showing to anyone other the admin.

This patch has been applied to a number of sites as theme specific .tpl and seem to work quite well.

Should it be added into a future release???



Importance
9
Priority
45
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
2162
Created
Tuesday 18 November, 2008 17:32:45 UTC
by Unknown
LastModif
Thursday 06 June, 2013 15:36:48 UTC


Show PHP error messages