Separate Administrator Manage Users and Moderators Permission

bluepaw · Nov 20, 2014

Is it possible to get the Administrator permission "Manage users and moderators" split to two separate permissions? I'd like to have admins that can manage approving and editing users without being able to adjust moderators and their permissions. Right now it seems to be they get all or nothing.

dieketzer · Nov 20, 2014

'all or nothing' seems to be an issue in many areas of xf.
id love to see this suggestion come to pass.

(and a banned usergroup as well)

Amaury · Nov 20, 2014

dieketzer said:
(and a banned usergroup as well)

There's no need for a user group for banned members except for styling reasons, which you can just create yourself if needed.

dieketzer · Nov 20, 2014

Maru said:
There's no need for a user group for banned members except for styling reasons, which you can just create yourself if needed.

you are wrong, but this isnt the thread to date that in i suppose.

Martok · Nov 20, 2014

dieketzer said:
you are wrong, but this isnt the thread to date that in i suppose.

@Maru is correct but as you say, this should be discussed elsewhere.

Reid2 · Apr 21, 2015

Has anyone come up with a way to grant an admin permission to manage users and not moderators? This does seem like something useful. Thanks in advance for any update on custom code or an add-on which might make this possible. Basically we want someone who can mange users; but not moderators.

Zynektic · Jul 7, 2015

Hmm, bumping this again - I just added a Super Moderator to the ACP with this to manage users and do not want them to be able to alter Moderators.

Alpha1 · Nov 13, 2015

Zynephix said:
Hmm, bumping this again - I just added a Super Moderator to the ACP with this to manage users and do not want them to be able to alter Moderators.

For moderators to moderate new registrations, they need to be made admins with the permission Manage users and moderators. If they have this then they can make anyone moderator and administrator or remove such usergroups and status.
This seems a vulnerability to me. If a moderator goes rogue or account gets hacked, then this vulnerability can be exploited to make other accounts admin & moderator. Which can then be abused to merge all threads into one which destroys the site. As one example of how it could be exploited.

Moderator functionality should be separated from admin functionality for security reasons.
As is we cannot use best practices as we have always done on vbulletin.

Floyd R Turbo · Aug 14, 2017

Thanks for the bump. This does indeed appear to be a concern...one that I haven't really encountered though, because I don't really allow many people to have moderator rights

Separate Administrator Manage Users and Moderators Permission

bluepaw

Member

dieketzer

Well-known member

Amaury

Well-known member

dieketzer

Well-known member

Martok

Well-known member

Reid2

Member

Zynektic

Well-known member

Alpha1

Well-known member

Floyd R Turbo

Well-known member

Similar threads

We value your privacy