Fixed An admin user with no admin permissions will still see stuff in the AdminCP

Sim

Sim

Well-known member
Affected version
2.3.3
I created a user, made them an administrator, but did not give them any admin permissions.

The user can still see the following:

1728970399994.webp

I need to provide a clean admin UI to some of my non-technical staff to undertake specific administrative tasks on the site using custom functionality I'm building into my application - but there is no way to remove these menu options (template modifications won't work) and they should not be seeing any technical information or functions while there.

I'm assuming if I manually change the admin permissions for these navigation items, they will revert back the next time I upgrade XF ?

I consider this a bug - an admin user with no admin permissions should not see anything in the admin UI.

Can we have these tools assigned an admin permission to be visible so they can be turned off for some users?

There's also a bunch of stuff that shows up on the AdminCP index page that is not relevant to non-technical users (eg error log alerts, upgrade messages, server environment report, file health check report, etc) and should also be hidden unless the user has specific admin privileges. I can at least hide these using template modifications - but I do consider it a bug that this information is visible by default to an administrative user with no explicit admin permissions.
 
Sorry to bother, but if they're non-technical, why do you want to give them ACP access anyway? I'd suggest giving them a proper explanation how stuff works, or simply say "ignore tools". Sorry, I'll mind my own business now. :notworthy::LOL:
 
CedricV said:
Sorry to bother, but if they're non-technical, why do you want to give them ACP access anyway? I'd suggest giving them a proper explanation how stuff works, or simply say "ignore tools". Sorry, I'll mind my own business now. :notworthy::LOL:
Click to expand...
Because some tasks still need to be under a second layer of authorization, but you do not want them to have any other access to the Admin CP.
 
Sim said:
I created a user, made them an administrator, but I'm assuming if I manually change the admin permissions for these navigation items, they will revert back the next time I upgrade XF ?
Click to expand...
You could extend \XF\AdminNavigation::getFiltered to modify the navigation tree at runtime.

Tools should be guarded by permissions as they might show sensitive information.

K

Fixed Thread 'Any admin can get list of installed Add-ons via file health check'

Performing and viewing file health check results via Tools controller is not restricted by any admin permission.
This effectively allows any admin to get a list of installed Add-ons by running a file health check.

As this might be sensitive information, accessing this feature should be restricted to admins with permission Upgrade XenForo or Manage Add-ons.
  • Like
 
Last edited:
Here is a list of info that is shown to all administrative users on the index page (and shouldn't be IMO):
  • Unicode warning
  • Stopped jobs
  • Legacy Config
  • Staff online
  • Environment report
  • Requirement errors
  • Import running
 
Kirby said:
You could extend \XF\AdminNavigation::getFiltered to modify the navigation tree at runtime.
Click to expand...

I did it via AdminNavigation::setupFilteredRecurse - it was easy enough.

I built an addon to hide all of this extra information:

Clean Admin UI Sim

Clean Admin UI

Remove extra information from the Admin UI for admin users without explicit permissions

... I still consider this a bug which should be fixed in the XF core though!

This has also prompted me to do an audit of all admin controllers I implement in my addons to ensure that they are explicitly asserting admin permissions - I've released a bunch of updates to fix things which weren't protected adequately (hiding the menu option isn't enough!).
 
Given that you have already written a solution, are you happy for us to just integrate your code into either the next 2.3 or 2.4 release?

We obviously have no issue doing the work ourselves but as you've basically already done it...?
 
Chris D said:
Given that you have already written a solution, are you happy for us to just integrate your code into either the next 2.3 or 2.4 release?

We obviously have no issue doing the work ourselves but as you've basically already done it...?
Click to expand...

Sure thing - you may want to tweak the admin permissions used of course, as is your prerogative.
 
Chris D said:
Given that you have already written a solution, are you happy for us to just integrate your code into either the next 2.3 or 2.4 release?

We obviously have no issue doing the work ourselves but as you've basically already done it...?
Click to expand...
Sim said:
Sure thing - you may want to tweak the admin permissions used of course, as is your prerogative.
Click to expand...

This probably isn't the first time XF has used another developer's fix as a starting point in part or in whole, but it's the first time I've seen it happen. I have got to say that I absolutely love the collaboration between the community and XF dev team here to repair bugs to possibly get fixes out quicker, which probably has an impact on overall core development as there's less attention diverted to fixing a bug, even if it's only 15 minutes spared (or a much needed break instead).

👏
 
Chris D said:
Given that you have already written a solution, are you happy for us to just integrate your code into either the next 2.3 or 2.4 release?

We obviously have no issue doing the work ourselves but as you've basically already done it...?
Click to expand...

Sim said:
Sure thing - you may want to tweak the admin permissions used of course, as is your prerogative.
Click to expand...
Unless of course you're going to pull a matt mullenweg, revoke the code and provide a checkbox confirming anybody using said code is not affiliated with WordPress XenForo
 
Chris D said:
It's a good job it wasn't called Clean XF Admin UI or there'd be trouble!!!
Click to expand...
Good morning Chris

Thanks for your query.

For the best XenForo help please visit xenforohelp.com. It has recently been relinquished by the third party and offered to XenForo Ltd. We will eventually get around to upgrading the software version, but we're so busy helping people we haven't found the time.

Kind regards
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.4).

Change log:
Ensure all control panel functionality is covered by permissions
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

TheBigK
How do I add my own navigation tab in the adminCP, with my own side column?
Replies
10
Views
865
TheBigK
TheBigK
Back
Top Bottom