New Users are admins by default

[SteveMarvin]

When a new user signs up and is activated by the admin, the new account is set to active by default. However, no user type is assigned. If the admin clicks EDIT and then cancels back out, the type USER is assigned, but if the admin merely activates the user and then logs out, the user is granted SITE ADMIN privs by default. Note that the user type still remains empty until a TEXTLAB ADMIN edits it.

[feralresearch]

@NickLaiacona @SteveMarvin Where in the interface can you edit or see a user's type? I'm logged in as an admin and I can't seem to get it to display, except for http://127.0.0.1:5000/accounts, and in the DB, both show the default type as null.

[SteveMarvin]

You have to be a Textlab admin, not just a site admin.

[NickLaiacona]

should have this admin link in upper right:

[SteveMarvin]

Right, then when you edit a user, you will see this dialog:

[feralresearch]

Thanks guys, got it... needed to be 'admin' not 'site-admin'

[feralresearch]

Slightly bigger security hole: issue is that users with no role assigned are assumed to be administrators (it's not that admin is assigned, nothing is assigned and 'nothing' grants full access') Fixing...

[feralresearch]

In general we don't check user_type before performing actions. The only check I could find was if the "Admin" link appeared or not, and that appeared for all users who were not of type "user." Users of type NULL or any other type got the admin link, and users of any type can access the functionality by entering the URL.

I can lock this down, but can someone please make me a list of what functionality belongs to each role? Also if these roles are hierarchical (IE should 'admin' grant all 'site_admin' and 'user' and so on).

[SteveMarvin]

New activated users are still admins by default (NULL user type). 👎

[SteveMarvin]

ACCEPTED