search

e107inc / e107

e107 Bootstrap CMS (Content Management System) v2 with PHP, MySQL, HTML5, jQuery and Twitter Bootstrap. Issue Discussion Room: https://gitter.im/e107inc/e107
https://e107.org
GNU General Public License v3.0
318 stars 212 forks source link

An Admin with only "Quick Add User" permission can see all users and access inline edit for all #5045

Closed Vodhin closed 10 months ago

Vodhin commented 11 months ago

Bug Description

An Admin with only "Quick Add User" permission can see all users and access inline edit functions including display name, real name, email address, and assign user classes. Since Login Names are visible, it might be possible to change another Admin's email and then use the Forgot Password to change their password, locking them out and gaining whatever permissions they have.

How to Reproduce

Steps to reproduce the behavior:

  1. Make a new user account to test
  2. Go To e107_admin/users.php and make that user an Admin
  3. Go to e107_admin/administrator.php and Edit that user's permissions
  4. Check only Quick Add User in the General Tab
  5. Log Out
  6. Log In as that User, go to e107_admin/users.php and change any users' email, display name, and whatever.

Expected Behavior

User should only see the Quick Add User Form and no user list (or a list of only users they have added might be nice).

CaMer0n commented 10 months ago

Thank you @Vodhin !! I didn't hide the user list, but I did disable 'inline' editing, which prevents any editing of it. I also prevented this type of admin from creating new admins. (ie. elevated access).