Is this supposed to be a "feature"?!

This seems like a very great security risk. What if someone turns rogue and decides to wipe out half the forums?

I know I can restrict them in the ACP....but this seems kind of....silly, to not be able to demote another admin when you are the root admin.

You can....

No, it won't let me.

When I load their profile in the ACP, it says this under Member Group Options:

Primary Member Group: Root Admin or Administrator (Can't Change)

When I try to edit my own profile, it tells me: "You are not permitted to edit root administrators."

l just demoted an admin down to member and back again, no problem.

l then made them root admin, and then demoted them again.

It looks like you're doing something wrong, or you're admin and they're root admin.

No, it won't let me.

When I load their profile in the ACP, it says this under Member Group Options:

Primary Member Group: Root Admin or Administrator (Can't Change)

When I try to edit my own profile, it tells me: "You are not permitted to edit root administrators."

Are you sure? I can edit every admin's profile. Are you in the root admin group?

Are you sure? I can edit every admin's profile. Are you in the root admin group?

I'm positive, and yes I am in the root admin group (as my secondary group), as specified by the error message above.

I'm positive, and yes I am in the root admin group (as my secondary group), as specified by the error message above.

Well I tested it, and true enough, you will not be able to edit any root administrator if you're in secondary group as root admin. Perhaps you need root admin as your primary group to do that. :)

If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in?

:rolleyes:

If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in?

:rolleyes:

*DING*

If you're a root admin as a secondary account, you are only an admin. Try going to ACP->Admin->SQL Toolbox. You can't do that either.

If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in?

:rolleyes:

Well, It's my own board.

The reason I did that was because I didn't want users to see the difference between the two groups - I wanted them to appear as one, but I don't want the other admins in the root admin group..

Technically, it should work as expected, since you are supposed to inherit greater permissions!

So, can we confirm this as a bug? Or is this actually a feature?

It's been there as long as there has been a difference between "Root Admin" and "Admin". I believe it's a security feature.

So, can we confirm this as a bug? Or is this actually a feature?

It's a feature.

DOH!!!! :lol: :huh: :unsure: :whistle: :ph34r: :shifty: >_<

It seems more like a bug, since you are supposed to inherit the greater permissions...

It seems more like a bug, since you are supposed to inherit the greater permissions...

Except that IPS widely recognises having Administrators/Root Administrators as a Secondary Groups is a security risk because it is all too easy for them to go unnoticed by the administration. This is a feature not a bug and IMO should stay as it is.

It's been there as long as there has been a difference between "Root Admin" and "Admin". I believe it's a security feature.

but it was only implemented correctly in 2.1.x

you can promote yourself to root admin in 2.0.x and below

Except that IPS widely recognises having Administrators/Root Administrators as a Secondary Groups is a security risk because it is all too easy for them to go unnoticed by the administration. This is a feature not a bug and IMO should stay as it is.

"List All Administrators" in Admin CP shows who has admin access through a secondary groups

If you have member A who is a primary root admin, and member B who is a secondary root admin account, we don't want member A being able to edit member B's status - in 99% of most cases, member B would be "higher up" than member A. It's working as intended.

If you have member A who is a primary root admin, and member B who is a secondary root admin account, we don't want member A being able to edit member B's status - in 99% of most cases, member B would be "higher up" than member A. It's working as intended.

My setup is this:

I have many admin on my site. I want to appear as one of these admin to normal members, and be in the same group as these admin, but I want to have the "power" of the root admin.

It seems to me that there should be some sort of override available to someone in the primary root admin group. What it could do is grant "root admin" powers through a checkbox in the Member Group part of a user's profile. Naturally, only someone in the root admin group should be able to do this, and it should require the user's secondary group to be set to the root admin group.

Is there a solution to this aside from putting them all in the admin group?

"List All Administrators" in Admin CP shows who has admin access through a secondary groups

That was a VERY recent change. Until then, you'd have no idea until they launched a full scale attack that they held administrative priviledges

My setup is this:

I have many admin on my site. I want to appear as one of these admin to normal members, and be in the same group as these admin, but I want to have the "power" of the root admin.

It seems to me that there should be some sort of override available to someone in the primary root admin group. What it could do is grant "root admin" powers through a checkbox in the Member Group part of a user's profile. Naturally, only someone in the root admin group should be able to do this, and it should require the user's secondary group to be set to the root admin group.

Is there a solution to this aside from putting them all in the admin group?

Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.

Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.

I can do that, and I thought of doing that actually.

I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.

Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.

I can do that, and I thought of doing that actually.

I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.

Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.

I can do that, and I thought of doing that actually.

I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.

Nice triple post.

Well if you are all equal then just make 'em all Root's LOL.