1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed It is possible to delete an Administrator without entering your password

Discussion in 'Resolved Bug Reports' started by tyteen4a03, May 10, 2013.

  1. tyteen4a03

    tyteen4a03 Well-Known Member

    Title.

    It sounds like an inconsistency to me because you are required to enter your password when editing privileges, but not when you delete the administrator.
     
    14DH01, Adam Howard, Alien and 2 others like this.
  2. Carlos

    Carlos Well-Known Member

    That would pose a security problem.... :unsure:
     
  3. Mike

    Mike XenForo Developer Staff Member

    I can't confirm this. The password box appears when deleting for me (and it errors if the password is not entered).

    Note that the edit limits of the additional password applies only to super admin editing.
     
  4. tyteen4a03

    tyteen4a03 Well-Known Member

    I can reproduce this on both my production site and my testing site (no addons). Both are running 1.1.4. I am a Super Administrator.

    Do you need a test site?
     
  5. Carlos

    Carlos Well-Known Member

    Based on what the OP is saying (test site and production site with addons), I have a new question...

    What triggers the password prompt, like <xen> or something else? It sounds like something is missing so he can't edit something he wants to do....
     
  6. Brogan

    Brogan XenForo Moderator Staff Member

    I believe it relates to deleting administrators from this page: admin.php?admins/

    Clicking the red X produces a confirmation overlay and that's it.

    However, changing the settings (for the same non-super administrator) requires you to enter your password.
     
    tyteen4a03 likes this.
  7. tyteen4a03

    tyteen4a03 Well-Known Member

    What do you mean? For the overlay, or?

    Also, just dug into the overlay template and there is no password field in there too.
     
  8. Liam W

    Liam W Well-Known Member

    You only need a password to edit the administrator, if you click the red 'X' next to the administrator on the list of admins, no password is requested:

    delete_admin.PNG
    Clicking the 'X' brings this up:

    delete_admin2.PNG

    Clicking the delete button just deletes the admin, without asking for a password.

    The same thing happens even if you click into the admin record.
     
  9. 14DH01

    14DH01 Active Member

    Your picture shows an administrator account.​
    What is it for a super admin account?​
    if the "id" super admin is published in the config.php file, it must be protected? no ?​
    ré-edite​
    I will create a super administrator account (insert id in config.php) and I will delete his account.
     
  10. Liam W

    Liam W Well-Known Member

    If I make Google a super admin, no password is requested.
     
  11. 14DH01

    14DH01 Active Member

    this is normal for a super administrator is stronger than administrator.
    In your case you need a test administrator to remove another director.
    do not make your test as super administrator => otherwise the test is messed up
     
  12. Liam W

    Liam W Well-Known Member

    Still, it doesn't really matter - if you're deleting an admin, you should be requested for a password. What if your very stupid and you leave yourself logged into the AdminCP on a public computer and someone comes along and deletes all the admins?

    (Albeit you would have to rather stupid to do that ;))

    Also, you can only access the page to delete admins if you're a super admin.
     
  13. Mike

    Mike XenForo Developer Staff Member

    No real damage can be done as it's simply going to be removing permissions - editing a super admin (such as deleting their account) or defining a new admin does potentially create more concerns, hence the password.

    But yeah, it seems to make sense to check the password when deleting an admin.
     
    0xym0r0n, 14DH01 and Liam W like this.
  14. Liam W

    Liam W Well-Known Member

    But the password ISN'T needed when deleting a super admin.

    I have 2 super admins. Any one of them can delete the other, without the password. But now I'm thinking of something completely different which wouldn't make sense anyway ;)

    Probably best to ignore this post...
     
  15. Jeremy

    Jeremy XenForo Moderator Staff Member

    Regardless of whether or not it checks the password, you'll still be at the whims of those users. It doesn't ask for the user's password that is being deleted, it asks for your password. I could remove or edit Onimua over at XenFluence, since it asks for my password, and not his. Adding the password check just verifies that its me and not some random person with my account (well, to an extent).
     
  16. 14DH01

    14DH01 Active Member

    I edited a super administrator account in the admin panel and in config.php
    Code:
    $config['superAdmins'] = '1,1300,64,';
    I delete the account and it is completely remove.
    http://cibiforum.org/members/test.1300/
    should add the code "anti account deletion" in the config.php file, as a security
     
  17. Jeremy

    Jeremy XenForo Moderator Staff Member

    Creating Super Administrators doesn't make them immune to edits. It allows them to have more access to things within the ACP, and adding an administrator is one of them.
     

    Attached Files:

  18. 14DH01

    14DH01 Active Member

    if in the config file there is a second admin protection can not simply remove another admin.​
    this function will be useful for quiet:​
    Code:
    $config['SpecialUsers']['undeletableusers'] = '1';
     
  19. Jeremy

    Jeremy XenForo Moderator Staff Member

    There is no such anti-deletion configuration option available.
     
  20. 14DH01

    14DH01 Active Member

    This is why I offer this functionality :D
     

Share This Page