Open janrudolph opened 7 years ago
Maybe create a new permission like Manage Admin Users
or make it so that only people with the view-privileged-setting
permission can handle other admin users
@MartinSchoeler I don't understand your suggestion. Deleting an user of the role "admin" should only be allowed by other admin users. The responsibility to make sure no other roles are permitted to delete admins must be part of the Rocket.Chat core. IMHO nobody, nobody, nobody should be able to delete the "root user". Currently it is possible within Rocket.Chat to create a user with non admin permissions that is able to delete admins and therefore a "normal user" is able to kill your installation. This must be prevented.
Any updates here?
Description:
We added a role called user admin. The user admin is allowed to administrate users (e.g. adding new ones, activation, editing) and to administrate channels. The user admin should not have access to other system options. He should do the basic daily work. The user admin has the following rights:
Actual behavior:
With this permissions the user admin is able to deactivate the system admin. Thereby the system admin will be locked out of the system - the system is not manageable anymore. If you grant the user admin the right "delete users", the user admin is also able to delete the system admin.
This behavior is a potential threat.
Expected behavior:
The user admin should be able to manage regular users but not system admins. The management of system admins should be done by system admins only.
Server Setup Information:
Steps to Reproduce: