Users in the manager group can add other users to the administrator group

duvi · Post by **duvi** » Sun Mar 04, 2018 10:18 am

Steps to reproduce:
- log in as Super Users to administrator area
- allow Manager group to Access Administration Interface for Users
- create two users (User1 and User2)
- add User1 to the Manager group
- log out as Super User
- log in as User1 to administrator area
- select User2 in Users
- select Assigned User Groups tab
- here you can select Administrator, then save
- now User2 can log in with Administrator privileges

How can this be disabled? Is this a bug or intentional?
Users in a specific group shouldn't be allowed to add other users to a subgroup of their own group.

Tskabry · Post by **Tskabry** » Sun Mar 04, 2018 11:24 am

I am a bit of an intermediate but think I may have a useful suggestions. You may want to create another user level called site manager and than review the permissions for that user profile...also check your Inherent/hierarchy settings.

JAVesey · Post by **JAVesey** » Sun Mar 04, 2018 12:04 pm

What is the parent group of your managers group? If it is Super User then managers may have inherited the Super Users permissions.

Tip: NEVER make a user-group with Super Users as the parent.

duvi · Post by **duvi** » Sun Mar 04, 2018 1:16 pm

All is Joomla default, so the parent of Manager group is Public.
I tried Tskabry's idea now. I created a new group which is not the default Manager, and put User1 in it (and took him out of default Manager group). Still, User1 can put User2 into Administrator.

Basically, if you have permission to assign groups to a user, you can assign any group except Super User, even if the assigned group has more privileges than your own.

JAVesey · Post by **JAVesey** » Sun Mar 04, 2018 4:20 pm

duvi wrote:Basically, if you have permission to assign groups to a user, you can assign any group except Super User, even if the assigned group has more privileges than your own.

That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?

duvi · Post by **duvi** » Sun Mar 04, 2018 4:22 pm

JAVesey wrote:That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?

No, you can't assign yourself to groups, only everyone else.

JAVesey · Post by **JAVesey** » Sun Mar 04, 2018 4:27 pm

duvi wrote:
JAVesey wrote:That's bonkers if true! Can a user assign themselves to a group with more privileges than they currently enjoy?
No, you can't assign yourself to groups, only everyone else.

Hmmmm... two nefarious users mutually agree to bump each other up the hierarchy...

Have you reported this as a bug? I'm sure it can't be like this by design.

The Joomla! Forum™

Users in the manager group can add other users to the administrator group

Users in the manager group can add other users to the administrator group

Re: Users in the manager group can add other users to the administrator group

Re: Users in the manager group can add other users to the administrator group

Re: Users in the manager group can add other users to the administrator group

Re: Users in the manager group can add other users to the administrator group

Re: Users in the manager group can add other users to the administrator group

Re: Users in the manager group can add other users to the administrator group