There is a very common use case where a specific Group should be given User admin permission, ie tiki_p_admin_users, so that the setting up of new users can be delegated.
However this permission allows the user with these added permissions to edit the admin details and therefore be in a position to assign new users and themselves to the Admins Group - which has 'security' (in the broadest sense) implications.
Changes that avoid this are needed so that the admin details can only be changed by the admin.
FIXED
A very simple solution to this is to edit the tiki-adminusers.tpl to add another 'if' check.
{if $usersuser.user ne 'admin' || $user eq 'admin'} can be used either around the <tr> element of the user table, to suppress the whole line for the 'admin user' from showing to anyone other than the admin or around the <td> element for the first column to suppress the various edit tools from showing to anyone other the admin.
This patch has been applied to a number of sites as theme specific .tpl and seem to work quite well.
Should it be added into a future release???
To help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
To help developers solve the bug, we kindly request that you demonstrate your bug on a show.tikiwiki.org instance. To start, simply select a version and click on "Create show.tikiwiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show.tikiwiki.org.
filename | created | hits | comment | version | filetype | ||
---|---|---|---|---|---|---|---|
No attachments for this item |