search

phpList / phplist3

Fully functional Open Source email marketing manager for creating, sending, integrating, and analysing email campaigns and newsletters.
https://www.phplist.org
GNU Affero General Public License v3.0
737 stars 268 forks source link

disallow non-Superusers to manage admins #986

Closed michield closed 12 months ago

michield commented 1 year ago

Description

non Superusers should not be allowed to manage admins, even when they have "config" permissions

Related Issue

Screenshots (if appropriate):

michield commented 1 year ago

Hmm, how annoying the CI fails again.

michield commented 1 year ago

This looks ok. It is removing the ability for an ordinary admin to edit/view their own admin details though. I don't use ordinary admins so don't know how important that might be. Perhaps that can be put back later but removing the current ability to change their own privileges.

Yes, for now this resolves a security issue where a sub-admin can update the details of a superuser, which is bad. We can add that later again.

michield commented 12 months ago

This commit will make the items appear in the menu on first load: https://github.com/phpList/phplist3/pull/986/commits/774a075af6761355b104026aad65a55abcac8a7e

bramley commented 12 months ago

Yes, that has fixed the problem. Now the four menu items appear after logging-in.

phpListDockerBot commented 11 months ago

This pull request has been mentioned on phpList Discuss. There might be relevant details there:

https://discuss.phplist.org/t/3-6-14-release-candidate-ready-for-testing/9109/1

phpListDockerBot commented 11 months ago

This pull request has been mentioned on phpList Discuss. There might be relevant details there:

https://discuss.phplist.org/t/phplist-3-6-14-released-security-release/9158/1