Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted October 23, 200618 yr Is this supposed to be a "feature"?!This seems like a very great security risk. What if someone turns rogue and decides to wipe out half the forums?I know I can restrict them in the ACP....but this seems kind of....silly, to not be able to demote another admin when you are the root admin.
October 23, 200618 yr No, it won't let me.When I load their profile in the ACP, it says this under Member Group Options:Primary Member Group: Root Admin or Administrator (Can't Change)When I try to edit my own profile, it tells me: "You are not permitted to edit root administrators."
October 23, 200618 yr l just demoted an admin down to member and back again, no problem.l then made them root admin, and then demoted them again.It looks like you're doing something wrong, or you're admin and they're root admin.
October 23, 200618 yr No, it won't let me.When I load their profile in the ACP, it says this under Member Group Options:Primary Member Group: Root Admin or Administrator (Can't Change)When I try to edit my own profile, it tells me: "You are not permitted to edit root administrators."Are you sure? I can edit every admin's profile. Are you in the root admin group?
October 23, 200618 yr Are you sure? I can edit every admin's profile. Are you in the root admin group?I'm positive, and yes I am in the root admin group (as my secondary group), as specified by the error message above.
October 23, 200618 yr I'm positive, and yes I am in the root admin group (as my secondary group), as specified by the error message above.Well I tested it, and true enough, you will not be able to edit any root administrator if you're in secondary group as root admin. Perhaps you need root admin as your primary group to do that. :)
October 23, 200618 yr If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in? :rolleyes:
October 23, 200618 yr If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in? :rolleyes:*DING*If you're a root admin as a secondary account, you are only an admin. Try going to ACP->Admin->SQL Toolbox. You can't do that either.
October 23, 200618 yr If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in? :rolleyes:Well, It's my own board.The reason I did that was because I didn't want users to see the difference between the two groups - I wanted them to appear as one, but I don't want the other admins in the root admin group..Technically, it should work as expected, since you are supposed to inherit greater permissions!So, can we confirm this as a bug? Or is this actually a feature?
October 23, 200618 yr It's been there as long as there has been a difference between "Root Admin" and "Admin". I believe it's a security feature.
October 23, 200618 yr So, can we confirm this as a bug? Or is this actually a feature?It's a feature.
October 23, 200618 yr It seems more like a bug, since you are supposed to inherit the greater permissions...
October 23, 200618 yr It seems more like a bug, since you are supposed to inherit the greater permissions...Except that IPS widely recognises having Administrators/Root Administrators as a Secondary Groups is a security risk because it is all too easy for them to go unnoticed by the administration. This is a feature not a bug and IMO should stay as it is.
October 23, 200618 yr It's been there as long as there has been a difference between "Root Admin" and "Admin". I believe it's a security feature.but it was only implemented correctly in 2.1.xyou can promote yourself to root admin in 2.0.x and below
October 23, 200618 yr Except that IPS widely recognises having Administrators/Root Administrators as a Secondary Groups is a security risk because it is all too easy for them to go unnoticed by the administration. This is a feature not a bug and IMO should stay as it is."List All Administrators" in Admin CP shows who has admin access through a secondary groups
October 23, 200618 yr If you have member A who is a primary root admin, and member B who is a secondary root admin account, we don't want member A being able to edit member B's status - in 99% of most cases, member B would be "higher up" than member A. It's working as intended.
October 23, 200618 yr If you have member A who is a primary root admin, and member B who is a secondary root admin account, we don't want member A being able to edit member B's status - in 99% of most cases, member B would be "higher up" than member A. It's working as intended.My setup is this:I have many admin on my site. I want to appear as one of these admin to normal members, and be in the same group as these admin, but I want to have the "power" of the root admin.It seems to me that there should be some sort of override available to someone in the primary root admin group. What it could do is grant "root admin" powers through a checkbox in the Member Group part of a user's profile. Naturally, only someone in the root admin group should be able to do this, and it should require the user's secondary group to be set to the root admin group.Is there a solution to this aside from putting them all in the admin group?
October 23, 200618 yr "List All Administrators" in Admin CP shows who has admin access through a secondary groupsThat was a VERY recent change. Until then, you'd have no idea until they launched a full scale attack that they held administrative priviledges
October 23, 200618 yr My setup is this:I have many admin on my site. I want to appear as one of these admin to normal members, and be in the same group as these admin, but I want to have the "power" of the root admin.It seems to me that there should be some sort of override available to someone in the primary root admin group. What it could do is grant "root admin" powers through a checkbox in the Member Group part of a user's profile. Naturally, only someone in the root admin group should be able to do this, and it should require the user's secondary group to be set to the root admin group.Is there a solution to this aside from putting them all in the admin group?Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.
October 24, 200618 yr Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.I can do that, and I thought of doing that actually.I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.
October 24, 200618 yr Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.I can do that, and I thought of doing that actually.I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.
October 24, 200618 yr Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.I can do that, and I thought of doing that actually.I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.
Archived
This topic is now archived and is closed to further replies.