Fixed It is possible to delete an Administrator without entering your password

[tyteen4a03]

Title.

It sounds like an inconsistency to me because you are required to enter your password when editing privileges, but not when you delete the administrator.

 

[Carlos]

That would pose a security problem....

 

[Mike]

I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.

 

[tyteen4a03]

I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.

I can reproduce this on both my production site and my testing site (no addons). Both are running 1.1.4. I am a Super Administrator.

Do you need a test site?

 

[Carlos]

I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.

Based on what the OP is saying (test site and production site with addons), I have a new question...

What triggers the password prompt, like <xen> or something else? It sounds like something is missing so he can't edit something he wants to do....

 

[Paul B]

I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

I believe it relates to deleting administrators from this page: admin.php?admins/

Clicking the red X produces a confirmation overlay and that's it.

However, changing the settings (for the same non-super administrator) requires you to enter your password.

 

[tyteen4a03]

Based on what the OP is saying (test site and production site with addons), I have a new question...

What triggers the password prompt, like <xen> or something else? It sounds like something is missing so he can't edit something he wants to do....

What do you mean? For the overlay, or?

Also, just dug into the overlay template and there is no password field in there too.

 

[Liam W]

You only need a password to edit the administrator, if you click the red 'X' next to the administrator on the list of admins, no password is requested:


Clicking the 'X' brings this up:



Clicking the delete button just deletes the admin, without asking for a password.

The same thing happens even if you click into the admin record.

 

[14DH01]

Your picture shows an administrator account.​

​

What is it for a super admin account?​

​

​

if the "id" super admin is published in the config.php file, it must be protected? no ?​

​

ré-edite​

​

I will create a super administrator account (insert id in config.php) and I will delete his account.

 

[Liam W]

Your picture shows an administrator account.

What is it for a super admin account?


if the "id" super admin is published in the config.php file, it must be protected? no ?

ré-edite

I will create a super administrator account (insert id in config.php) and I will delete his account.

If I make Google a super admin, no password is requested.

 

[14DH01]

If I make Google a super admin, no password is requested.

this is normal for a super administrator is stronger than administrator.
In your case you need a test administrator to remove another director.
do not make your test as super administrator => otherwise the test is messed up

 

[Liam W]

this is normal for a super admin is stronger than administrator.
In your case you need a test administrator to remove another director.
do not make your test as super administrator => otherwise the test is messed up

Still, it doesn't really matter - if you're deleting an admin, you should be requested for a password. What if your very stupid and you leave yourself logged into the AdminCP on a public computer and someone comes along and deletes all the admins?

(Albeit you would have to rather stupid to do that )

Also, you can only access the page to delete admins if you're a super admin.

 

[Mike]

No real damage can be done as it's simply going to be removing permissions - editing a super admin (such as deleting their account) or defining a new admin does potentially create more concerns, hence the password.

But yeah, it seems to make sense to check the password when deleting an admin.

 

[Liam W]

No real damage can be done as it's simply going to be removing permissions - editing a super admin (such as deleting their account) or defining a new admin does potentially create more concerns, hence the password.

But yeah, it seems to make sense to check the password when deleting an admin.

But the password ISN'T needed when deleting a super admin.

I have 2 super admins. Any one of them can delete the other, without the password. But now I'm thinking of something completely different which wouldn't make sense anyway

Probably best to ignore this post...

 

[Jeremy]

But the password ISN'T needed when deleting a super admin.

I have 2 super admins. Any one of them can delete the other, without the password. But now I'm thinking of something completely different which wouldn't make sense anyway

Probably best to ignore this post...

Regardless of whether or not it checks the password, you'll still be at the whims of those users. It doesn't ask for the user's password that is being deleted, it asks for your password. I could remove or edit Onimua over at XenFluence, since it asks for my password, and not his. Adding the password check just verifies that its me and not some random person with my account (well, to an extent).

 

[14DH01]

I edited a super administrator account in the admin panel and in config.php

$config['superAdmins'] = '1,1300,64,';

I delete the account and it is completely remove.
http://cibiforum.org/members/test.1300/
should add the code "anti account deletion" in the config.php file, as a security

 

[Jeremy]

I edited a super administrator account in the admin panel and in config.php

$config['superAdmins'] = '1,1300,64,';

I delete the account and it is completely remove.
should be added the removal code in the anti config.php by security measure

Creating Super Administrators doesn't make them immune to edits. It allows them to have more access to things within the ACP, and adding an administrator is one of them.

 

[14DH01]

Creating Super Administrators doesn't make them immune to edits. It allows them to have more access to things within the ACP, and adding an administrator is one of them.

if in the config file there is a second admin protection can not simply remove another admin.​

this function will be useful for quiet:​

$config['SpecialUsers']['undeletableusers'] = '1';

 

[Jeremy]

if in the config file there is a second admin protection can not simply remove another admin.
this function will be useful for quiet:

$config['SpecialUsers']['undeletableusers'] = '1';

There is no such anti-deletion configuration option available.

 

[14DH01]

$config['SpecialUsers']['undeletableusers'] = '1';

There is no such anti-deletion configuration option available.

This is why I offer this functionality