XF 2.1 Admin Permissions

[XGC xVIPERx XI]

1. There are admin permissions that I need to assign to admins. There are some elements on those permissions that I don't want them to have access to. How can I change those individual elements to be viewed only by Super Admin?

2. Is it possible to lock down an admin account where and an admin account such as the Headadmin cannot be changed?

Thanks,

XGC xVIPERx Xi

 

[TheGreek]

1. There are admin permissions that I need to assign to admins. There are some elements on those permissions that I don't want them to have access to. How can I change those individual elements to be viewed only by Super Admin?

2. Is it possible to lock down an admin account where and an admin account such as the Headadmin cannot be changed?

Thanks,

XGC xVIPERx Xi

1. What are you not wanting them to have access to?

2. If the account is set as a super admin, it can only be changed by another super admin.

 

[XGC xVIPERx XI]

1. The connected accounts and Two-step verification are on the same admin permission for Manage Users and moderators. Which my admins need access for the users. But for connected accounts and Two-step verification is something that can be messed with and has absolutely nothing to do with Users, in the sense of dealing with users. Yet on the same one is the API keys that are super admin only access. Which is what I want to do with connected accounts and Two-step verification. How can I change them to Super Admin only?

2. Correct, but if the account was somehow hacked. Is there a way to prevent the account from being taken over? This includes the two-step verification. For example, vBulletin has where it prevents the account from being changed by anyone. Xenforo only allows Super Admins by another Super Admin. While the two-step verification prevent this? The reason why I asked, is because my vBulletin Headadmin account was hacked somehow for the very 1st time. Lucky, my own account was locked down and I was able to capture back the headadmin account. Just looking at how best to prevent the site from being totally taken over.

Which I found out tonight that all admins are being forced to implement two-step verification as I just added permissions to the admin usergroup. When the time comes, they will hate it but I will love it....

 

[RallyFan]

Super admin accounts should have TFA enabled and never be seen (nor used) actively on a forum. So untick them as displaying as staff, and hide them away.

Admins enforce TFA as well, in fact you can limit (I believe) what areas of AdminCP an admin can access. Perhaps limit that access to create rather than delete things.

As always, ensure you have backups in case of a hack.

 

[XGC xVIPERx XI]

Thanks, that is good advise.

Now just need to deal with the admin permissions connected accounts and Two-step verification to make those only Super Admin access. How can I get them that way?

 

[RallyFan]

I'd make 100% sure none of your admins/super admins are using connected accounts to login, as that's a massive security hole in itself.

TFA for Super Admins can be triggered by individual User Permissions under ACP > Groups and Permissions > User Permissions > Require Two Factor Authentication (I think it's under General Permissions.

 

[XGC xVIPERx XI]

There is only two super-admin accounts and will not be using connected accounts.

The second part is about the assignment capability. Meaning, connected accounts when assigned go to all admins that is given that designated permission. I want them to have that permission, but I do not want them to have access to certain elements such as connected accounts.

So in the files, for those two elements I need to find someone that can make an add-on to change:

protected function preDispatchController($action, ParameterBag $params)
{
$this->assertAdminPermission('user');
}

To:

protected function preDispatchController($action, ParameterBag $params)
{
$this->assertSuperAdmin();
$this->assertPasswordVerified(1800); // 30 minutes
}

In other words, when giving permissions to my admins there are some elements I don't want them to have and one that is super admin, that I want all admins to have.

 

[RallyFan]

In other words, when giving permissions to my admins there are some elements I don't want them to have and one that is super admin, that I want all admins to have.

Super Admins are technically separate to Admins. They belong under the Admin group, but a Super Admin sits higher.
Super Admins can only action or edit other super admin accounts, so don't worry about that.

Re your second part, I don't quite get what you are trying to achieve:
Do you mean that you want to temporarily give your admin users super admin access?
Or that they are sharing admin accounts?
Or that you want to limit what areas of Admin Control Panel your admins can access?

 

[XGC xVIPERx XI]

When I give an admin a permission, with that permission I want to remove some of the elements of that permission and make it super admin only. For example, I need to give admins the permission "Manage users and moderators". For that permission, I need to make Connected accounts and Two-step Verification Super Admin access only just like the API keys.

Another scenario is giving admins the permission "View logs". The admin logs are Super Admin only and I need all admins to have access to it.

These are just a few examples. I need a way to do this without actually modifying the files.

 

[RallyFan]

I don't think it's possible, although I read a post from Brogan the other day stating that if you add a user to Administrators (ACP > Users > Administrators > Make Administrators) you can set custom permissions there.

No sure how flexible it is though.

 

[jar546]

I am the owner of the site and always have been but I don't even see a Super Admin as an option.

 

[jeb35]

I am the owner of the site and always have been but I don't even see a Super Admin as an option.

A super admin is just an admin with all the permissions enabled.