Steps to reproduce:
- log in as Super Users to administrator area
- allow Manager group to Access Administration Interface for Users
- create two users (User1 and User2)
- add User1 to the Manager group
- log out as Super User
- log in as User1 to administrator area
- select User2 in Users
- select Assigned User Groups tab
- here you can select Administrator, then save
- now User2 can log in with Administrator privileges
How can this be disabled? Is this a bug or intentional?
Users in a specific group shouldn't be allowed to add other users to a subgroup of their own group.
Users in the manager group can add other users to the administrator group
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed May 02, 2012 10:55 pm
-
- Joomla! Apprentice
- Posts: 6
- Joined: Thu Feb 02, 2012 11:46 am
Re: Users in the manager group can add other users to the administrator group
I am a bit of an intermediate but think I may have a useful suggestions. You may want to create another user level called site manager and than review the permissions for that user profile...also check your Inherent/hierarchy settings.
- JAVesey
- Joomla! Hero
- Posts: 2636
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: Users in the manager group can add other users to the administrator group
What is the parent group of your managers group? If it is Super User then managers may have inherited the Super Users permissions.
Tip: NEVER make a user-group with Super Users as the parent.
Tip: NEVER make a user-group with Super Users as the parent.
John V
Cardiff, Wales, UK
Joomla 5.1.0 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.1.0 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.1.0 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.1.0 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed May 02, 2012 10:55 pm
Re: Users in the manager group can add other users to the administrator group
All is Joomla default, so the parent of Manager group is Public.
I tried Tskabry's idea now. I created a new group which is not the default Manager, and put User1 in it (and took him out of default Manager group). Still, User1 can put User2 into Administrator.
Basically, if you have permission to assign groups to a user, you can assign any group except Super User, even if the assigned group has more privileges than your own.
I tried Tskabry's idea now. I created a new group which is not the default Manager, and put User1 in it (and took him out of default Manager group). Still, User1 can put User2 into Administrator.
Basically, if you have permission to assign groups to a user, you can assign any group except Super User, even if the assigned group has more privileges than your own.
- JAVesey
- Joomla! Hero
- Posts: 2636
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: Users in the manager group can add other users to the administrator group
That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?duvi wrote:Basically, if you have permission to assign groups to a user, you can assign any group except Super User, even if the assigned group has more privileges than your own.
John V
Cardiff, Wales, UK
Joomla 5.1.0 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.1.0 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.1.0 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.1.0 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed May 02, 2012 10:55 pm
Re: Users in the manager group can add other users to the administrator group
No, you can't assign yourself to groups, only everyone else.JAVesey wrote:That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?
- JAVesey
- Joomla! Hero
- Posts: 2636
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: Users in the manager group can add other users to the administrator group
Hmmmm... two nefarious users mutually agree to bump each other up the hierarchy...duvi wrote:No, you can't assign yourself to groups, only everyone else.JAVesey wrote:That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?
Have you reported this as a bug? I'm sure it can't be like this by design.
John V
Cardiff, Wales, UK
Joomla 5.1.0 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.1.0 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.1.0 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.1.0 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28