Not a bug User uploaded avatar with usergroup options disabling it

[avalanch]

Affected version

2.2.13

Somehow, a user managed to upload a avatar and doesn't have 2fa enabled. I set it yesterday to force 2fa for the usergroup and turn off options such as uploading an avatar... did I make a mistake somewhere? Somehow, it seems that she was able to bypass some rules.
She is in the registered usergroup

marcellahines

www.vgcheat.com

Below is what her specific permissions look like (I did not edit them, they turned out that way)


This is what the default permissions look like for the registered group (which she is in)

 

[Jeremy P]

This user has a Gravatar associated with their email address. When a new user registers, XenForo will automatically search for a Gravatar associated with their email address. You may disable Gravatar support in your options, though do note it will not remove Gravatars from users that already have them.

 

[avalanch]

Oh okay yes I see gravatars is indeed enabled. Thanks for that.

Any insight on why the permissions aren't matching the set usergroup though? I checked another user and they seem to have the same permissions instead of inheriting the proper permissions of the usergroup they are in. Maybe because she didn't comply with the forced 2fa yet, she did not inherit the registered usergroup permissions?

 

[Jeremy P]

Permissions in XenForo are cumulative. You can use the permission analyzer for further insight.