Admin 2 user id is necessary. but any root user can remove user id 2

Geeklog-Core / geeklog

Geeklog - The Secure CMS.

https://www.geeklog.net

25 stars 19 forks source link

Admin 2 user id is necessary. but any root user can remove user id 2 #1073

Closed ivywe closed 2 years ago

ivywe commented 3 years ago

Admin 2 user id is necessary. but any root user can remove user id 2.

eSilverStrike commented 3 years ago

A Root user is necessary but it doesn't need to be id 2 (at least it shouldn't).

I know we have functions in Geeklog that searches for the first Root user to apply for example security groups when a plugin is installed.

We should probably double check all this just to make sure things work as long as there is one Root user (and it doesn't matter what id it is). If not then we should either fix it (ideal) or lock down user id 2 to prevent it from being deleted.

eSilverStrike commented 2 years ago

Confirmed. I checked the code in USER_deleteAccount and it does check to make sure 1 root user is left or the user cannot be deleted. This is the delete user function used by user settings page and the admin user page so everything should be covered.