Fixed It is possible to delete an Administrator without entering your password

I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.
 
Mike said:
I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.
Click to expand...

I can reproduce this on both my production site and my testing site (no addons). Both are running 1.1.4. I am a Super Administrator.

Do you need a test site?
 
Mike said:
I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.
Click to expand...
Based on what the OP is saying (test site and production site with addons), I have a new question...

What triggers the password prompt, like <xen> or something else? It sounds like something is missing so he can't edit something he wants to do....
 
Mike said:
I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).
Click to expand...
I believe it relates to deleting administrators from this page: admin.php?admins/

Clicking the red X produces a confirmation overlay and that's it.

However, changing the settings (for the same non-super administrator) requires you to enter your password.
 
Carlos said:
Based on what the OP is saying (test site and production site with addons), I have a new question...

What triggers the password prompt, like <xen> or something else? It sounds like something is missing so he can't edit something he wants to do....
Click to expand...

What do you mean? For the overlay, or?

Also, just dug into the overlay template and there is no password field in there too.
 
You only need a password to edit the administrator, if you click the red 'X' next to the administrator on the list of admins, no password is requested:

delete_admin.webp
Clicking the 'X' brings this up:

delete_admin2.webp

Clicking the delete button just deletes the admin, without asking for a password.

The same thing happens even if you click into the admin record.
 
Your picture shows an administrator account.​
What is it for a super admin account?​
if the "id" super admin is published in the config.php file, it must be protected? no ?​
ré-edite​
I will create a super administrator account (insert id in config.php) and I will delete his account.
 
14DH01 said:
Your picture shows an administrator account.

What is it for a super admin account?


if the "id" super admin is published in the config.php file, it must be protected? no ?

ré-edite

I will create a super administrator account (insert id in config.php) and I will delete his account.
Click to expand...

If I make Google a super admin, no password is requested.
 
Liam W said:
If I make Google a super admin, no password is requested.
Click to expand...
this is normal for a super administrator is stronger than administrator.
In your case you need a test administrator to remove another director.
do not make your test as super administrator => otherwise the test is messed up
 
14DH01 said:
this is normal for a super admin is stronger than administrator.
In your case you need a test administrator to remove another director.
do not make your test as super administrator => otherwise the test is messed up
Click to expand...

Still, it doesn't really matter - if you're deleting an admin, you should be requested for a password. What if your very stupid and you leave yourself logged into the AdminCP on a public computer and someone comes along and deletes all the admins?

(Albeit you would have to rather stupid to do that ;))

Also, you can only access the page to delete admins if you're a super admin.
 
No real damage can be done as it's simply going to be removing permissions - editing a super admin (such as deleting their account) or defining a new admin does potentially create more concerns, hence the password.

But yeah, it seems to make sense to check the password when deleting an admin.
 
Mike said:
No real damage can be done as it's simply going to be removing permissions - editing a super admin (such as deleting their account) or defining a new admin does potentially create more concerns, hence the password.

But yeah, it seems to make sense to check the password when deleting an admin.
Click to expand...

But the password ISN'T needed when deleting a super admin.

I have 2 super admins. Any one of them can delete the other, without the password. But now I'm thinking of something completely different which wouldn't make sense anyway ;)

Probably best to ignore this post...
 
Liam W said:
But the password ISN'T needed when deleting a super admin.

I have 2 super admins. Any one of them can delete the other, without the password. But now I'm thinking of something completely different which wouldn't make sense anyway ;)

Probably best to ignore this post...
Click to expand...
Regardless of whether or not it checks the password, you'll still be at the whims of those users. It doesn't ask for the user's password that is being deleted, it asks for your password. I could remove or edit Onimua over at XenFluence, since it asks for my password, and not his. Adding the password check just verifies that its me and not some random person with my account (well, to an extent).
 
14DH01 said:
I edited a super administrator account in the admin panel and in config.php
Code: 
$config['superAdmins'] = '1,1300,64,';
I delete the account and it is completely remove.
should be added the removal code in the anti config.php by security measure
Click to expand...
Creating Super Administrators doesn't make them immune to edits. It allows them to have more access to things within the ACP, and adding an administrator is one of them.
 

Attachments

  • Screen Shot 2013-05-12 at 1.01.29 PM.webp
    Screen Shot 2013-05-12 at 1.01.29 PM.webp
    42.5 KB · Views: 7
King Kovifor said:
Creating Super Administrators doesn't make them immune to edits. It allows them to have more access to things within the ACP, and adding an administrator is one of them.
Click to expand...
if in the config file there is a second admin protection can not simply remove another admin.​
this function will be useful for quiet:​
Code: 
$config['SpecialUsers']['undeletableusers'] = '1';
 
14DH01 said:
if in the config file there is a second admin protection can not simply remove another admin.
this function will be useful for quiet:
Code: 
$config['SpecialUsers']['undeletableusers'] = '1';
Click to expand...
There is no such anti-deletion configuration option available.
 

Similar threads

X
Post user registration text about confirmation email when user is moderated is wrong
Replies
3
Views
154
Chris D
Chris D
N
  • Question Question
XF 2.2 Root URL "/forums"
Replies
1
Views
158
Paul B
Paul B
fionix
3 different ERROR pages using Sirupo 404 but it is not working well!
Replies
1
Views
240
fionix
fionix
TheLaw
  • Question Question
XF 2.2 Removing the number from the URL for an addon
Replies
2
Views
696
TheLaw
TheLaw
cdub
  • Question Question
XF 2.2 Is there a way to hide the "Description" in a page node but still have it be a meta description?
Replies
13
Views
686
cdub
cdub
Top Bottom