Users in the manager group can add other users to the administrator group

Moderators: mandville, PhilD, General Support Moderators

duvi
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed May 02, 2012 10:55 pm

Users in the manager group can add other users to the administrator group

Postby duvi » Sun Mar 04, 2018 10:18 am

Steps to reproduce:
- log in as Super Users to administrator area
- allow Manager group to Access Administration Interface for Users
- create two users (User1 and User2)
- add User1 to the Manager group
- log out as Super User
- log in as User1 to administrator area
- select User2 in Users
- select Assigned User Groups tab
- here you can select Administrator, then save
- now User2 can log in with Administrator privileges

How can this be disabled? Is this a bug or intentional?
Users in a specific group shouldn't be allowed to add other users to a subgroup of their own group.

Tskabry
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Feb 02, 2012 11:46 am

Re: Users in the manager group can add other users to the administrator group

Postby Tskabry » Sun Mar 04, 2018 11:24 am

I am a bit of an intermediate but think I may have a useful suggestions. You may want to create another user level called site manager and than review the permissions for that user profile...also check your Inherent/hierarchy settings.

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1662
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Users in the manager group can add other users to the administrator group

Postby JAVesey » Sun Mar 04, 2018 12:04 pm

What is the parent group of your managers group? If it is Super User then managers may have inherited the Super Users permissions.

Tip: NEVER make a user-group with Super Users as the parent.
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.8)

duvi
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed May 02, 2012 10:55 pm

Re: Users in the manager group can add other users to the administrator group

Postby duvi » Sun Mar 04, 2018 1:16 pm

All is Joomla default, so the parent of Manager group is Public.
I tried Tskabry's idea now. I created a new group which is not the default Manager, and put User1 in it (and took him out of default Manager group). Still, User1 can put User2 into Administrator.

Basically, if you have permission to assign groups to a user, you can assign any group except Super User, even if the assigned group has more privileges than your own.

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1662
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Users in the manager group can add other users to the administrator group

Postby JAVesey » Sun Mar 04, 2018 4:20 pm

duvi wrote:Basically, if you have permission to assign groups to a user, you can assign any group except Super User, even if the assigned group has more privileges than your own.
That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.8)

duvi
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed May 02, 2012 10:55 pm

Re: Users in the manager group can add other users to the administrator group

Postby duvi » Sun Mar 04, 2018 4:22 pm

JAVesey wrote:That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?

No, you can't assign yourself to groups, only everyone else.

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1662
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Users in the manager group can add other users to the administrator group

Postby JAVesey » Sun Mar 04, 2018 4:27 pm

duvi wrote:
JAVesey wrote:That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?

No, you can't assign yourself to groups, only everyone else.
Hmmmm... two nefarious users mutually agree to bump each other up the hierarchy...

Have you reported this as a bug? I'm sure it can't be like this by design.
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.8)


Return to “Access Control List (ACL) in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 4 guests