• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed It is possible to delete an Administrator without entering your password

Mike

XenForo developer
Staff member
#3
I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.
 

tyteen4a03

Well-known member
#4
I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.
I can reproduce this on both my production site and my testing site (no addons). Both are running 1.1.4. I am a Super Administrator.

Do you need a test site?
 

Carlos

Well-known member
#5
I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

Note that the edit limits of the additional password applies only to super admin editing.
Based on what the OP is saying (test site and production site with addons), I have a new question...

What triggers the password prompt, like <xen> or something else? It sounds like something is missing so he can't edit something he wants to do....
 

Brogan

XenForo moderator
Staff member
#6
I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).
I believe it relates to deleting administrators from this page: admin.php?admins/

Clicking the red X produces a confirmation overlay and that's it.

However, changing the settings (for the same non-super administrator) requires you to enter your password.
 

tyteen4a03

Well-known member
#7
Based on what the OP is saying (test site and production site with addons), I have a new question...

What triggers the password prompt, like <xen> or something else? It sounds like something is missing so he can't edit something he wants to do....
What do you mean? For the overlay, or?

Also, just dug into the overlay template and there is no password field in there too.
 

Liam W

Well-known member
#8
You only need a password to edit the administrator, if you click the red 'X' next to the administrator on the list of admins, no password is requested:

delete_admin.PNG
Clicking the 'X' brings this up:

delete_admin2.PNG

Clicking the delete button just deletes the admin, without asking for a password.

The same thing happens even if you click into the admin record.
 

14DH01

Active member
#9
Your picture shows an administrator account.​
What is it for a super admin account?​
if the "id" super admin is published in the config.php file, it must be protected? no ?​
ré-edite​
I will create a super administrator account (insert id in config.php) and I will delete his account.
 

Liam W

Well-known member
#10
Your picture shows an administrator account.

What is it for a super admin account?


if the "id" super admin is published in the config.php file, it must be protected? no ?

ré-edite

I will create a super administrator account (insert id in config.php) and I will delete his account.
If I make Google a super admin, no password is requested.
 

14DH01

Active member
#11
If I make Google a super admin, no password is requested.
this is normal for a super administrator is stronger than administrator.
In your case you need a test administrator to remove another director.
do not make your test as super administrator => otherwise the test is messed up
 

Liam W

Well-known member
#12
this is normal for a super admin is stronger than administrator.
In your case you need a test administrator to remove another director.
do not make your test as super administrator => otherwise the test is messed up
Still, it doesn't really matter - if you're deleting an admin, you should be requested for a password. What if your very stupid and you leave yourself logged into the AdminCP on a public computer and someone comes along and deletes all the admins?

(Albeit you would have to rather stupid to do that ;))

Also, you can only access the page to delete admins if you're a super admin.
 

Mike

XenForo developer
Staff member
#13
No real damage can be done as it's simply going to be removing permissions - editing a super admin (such as deleting their account) or defining a new admin does potentially create more concerns, hence the password.

But yeah, it seems to make sense to check the password when deleting an admin.
 

Liam W

Well-known member
#14
No real damage can be done as it's simply going to be removing permissions - editing a super admin (such as deleting their account) or defining a new admin does potentially create more concerns, hence the password.

But yeah, it seems to make sense to check the password when deleting an admin.
But the password ISN'T needed when deleting a super admin.

I have 2 super admins. Any one of them can delete the other, without the password. But now I'm thinking of something completely different which wouldn't make sense anyway ;)

Probably best to ignore this post...
 

Jeremy

Well-known member
#15
But the password ISN'T needed when deleting a super admin.

I have 2 super admins. Any one of them can delete the other, without the password. But now I'm thinking of something completely different which wouldn't make sense anyway ;)

Probably best to ignore this post...
Regardless of whether or not it checks the password, you'll still be at the whims of those users. It doesn't ask for the user's password that is being deleted, it asks for your password. I could remove or edit Onimua over at XenFluence, since it asks for my password, and not his. Adding the password check just verifies that its me and not some random person with my account (well, to an extent).
 

Jeremy

Well-known member
#17
I edited a super administrator account in the admin panel and in config.php
Code:
$config['superAdmins'] = '1,1300,64,';
I delete the account and it is completely remove.
should be added the removal code in the anti config.php by security measure
Creating Super Administrators doesn't make them immune to edits. It allows them to have more access to things within the ACP, and adding an administrator is one of them.
 

Attachments

14DH01

Active member
#18
Creating Super Administrators doesn't make them immune to edits. It allows them to have more access to things within the ACP, and adding an administrator is one of them.
if in the config file there is a second admin protection can not simply remove another admin.​
this function will be useful for quiet:​
Code:
$config['SpecialUsers']['undeletableusers'] = '1';
 

Jeremy

Well-known member
#19
if in the config file there is a second admin protection can not simply remove another admin.
this function will be useful for quiet:
Code:
$config['SpecialUsers']['undeletableusers'] = '1';
There is no such anti-deletion configuration option available.