Skip to:
Content

Opened 8 years ago

Closed 8 years ago

#1201 closed defect (fixed)

Administrators may delete Keymasters

Reported by: alth1979 Owned by: chrishajer
Milestone: 1.0.3 Priority: high
Severity: critical Version: 1.0.2
Component: General - Administration Keywords: has-patch tested
Cc:

Description

Forum Administrators are allowed to delete Keymasters.
To my opinion, this should not be allowed.

Attachments (2)

1201.diff (2.1 KB) - added by GautamGupta 8 years ago.
Does simple checks
1201.2.diff (5.8 KB) - added by GautamGupta 8 years ago.
Based on previous patch, administrators now cannot see the password change form for keymasters, also contains cleanup for profile-edit.php of kakumei

Download all attachments as: .zip

Change History (10)

#1 @GautamGupta
8 years ago

  • Keywords needs-patch added

#2 @GautamGupta
8 years ago

  • Priority changed from normal to high
  • Severity changed from normal to critical
  • Summary changed from "Administrators" may delete Keymasters to Administrators may delete Keymasters

@GautamGupta
8 years ago

Does simple checks

#3 @GautamGupta
8 years ago

  • Keywords has-patch tested added; needs-patch removed
  • Owner set to chrishajer

#4 @chrishajer
8 years ago

Tested an an administrator was indeed able to delete the keymaster. Oops. Will test patch next.

#5 @chrishajer
8 years ago

Logged in as moderator and did not see the delete button when editing the profile of the keymaster. Is that the only test I need to perform? How about direct access to the URL, even without clicking the button?

#6 @chrishajer
8 years ago

Looking at the edit screen for a keymaster when logged in as an administrator. The drop down for permissions there allows only keymaster, which is good. Why should an administrator be allowed to change the password of a keymaster? That would lock out the keymaster right?

UPDATE: I just tried to change the keymaster's password as an administrator and I got this error message: "You are not the Gate Keeper."

That's good.

It looks like an administrator can't edit anything on the keymaster's profile page, which is good (results in that "You are not the Gate Keeper." error message.) So, why should it even look like an administrator can edit something on a keymaster's page? Extending that, maybe you should not even see the profile edit screen of someone you don't have permission to edit?

#7 @GautamGupta
8 years ago

Attached another patch, now the administrators cannot see the password change form for keymasters. It also contains cleanup for profile-edit.php of kakumei.

@GautamGupta
8 years ago

Based on previous patch, administrators now cannot see the password change form for keymasters, also contains cleanup for profile-edit.php of kakumei

#8 @chrishajer
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [2421]) Administrators should not be able to delete or edit keymasters. Fixes #1201. Props gautamgupta

Note: See TracTickets for help on using tickets.