An Admin with only "Quick Add User" permission can see all users and access inline edit functions including display name, real name, email address, and assign user classes. Since Login Names are visible, it might be possible to change another Admin's email and then use the Forgot Password to change their password, locking them out and gaining whatever permissions they have.
How to Reproduce
Steps to reproduce the behavior:
Make a new user account to test
Go To e107_admin/users.php and make that user an Admin
Go to e107_admin/administrator.php and Edit that user's permissions
Check only Quick Add User in the General Tab
Log Out
Log In as that User, go to e107_admin/users.php and change any users' email, display name, and whatever.
Expected Behavior
User should only see the Quick Add User Form and no user list (or a list of only users they have added might be nice).
Thank you @Vodhin !! I didn't hide the user list, but I did disable 'inline' editing, which prevents any editing of it. I also prevented this type of admin from creating new admins. (ie. elevated access).
Bug Description
An Admin with only "Quick Add User" permission can see all users and access inline edit functions including display name, real name, email address, and assign user classes. Since Login Names are visible, it might be possible to change another Admin's email and then use the Forgot Password to change their password, locking them out and gaining whatever permissions they have.
How to Reproduce
Steps to reproduce the behavior:
e107_admin/users.php
and make that user an Admine107_admin/administrator.php
and Edit that user's permissionsQuick Add User
in the General Tabe107_admin/users.php
and change any users' email, display name, and whatever.Expected Behavior
User should only see the Quick Add User Form and no user list (or a list of only users they have added might be nice).