Users with "administer users" permissions can manage users that have a more privileged role

Created on 20 April 2018, over 6 years ago

Updated 17 March 2023, over 1 year ago

Let's say you have an "administrator" role (super-admin role) and a "sub-administrator" role. The "sub-administrator" role should be allowed to assign any role except for "administrator". Well, give them the ability to assign roles at all, you need to also give them the "administer users" permission. But this permission allows them to edit/delete all users (except user 1).... so while they wouldn't be able to remove the "administrator" role from other users, they could easily just edit their username or password or delete their account instead.

At the very least, I think a prominent warning should be displayed about this, both on the module info page and the README.

🐛 Bug report

Status

Fixed

Version

1.0

Component

Documentation

Created by

🇺🇸United States bkosborne New Jersey, USA

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇨🇦Canada joseph.olstad
Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024