System users and groups not fully protected from deletion
It's possible to shoot yourself on the foot and delete the admin user and all/admin groups.
1. Configure tamper data/ burpsuit
Delete admin user - Steps to reproduce
2. Create any user
3. Attempt to delete that user and modify the http request, put user id 0 and name admin
4. admin will be deleted
Delete all/admins groups
2. Create a group called all or admins
3. Attempt to delete the group created and modify thehttp request, put group id 0 if using all or 1 if using admins
4. group will be deleted
This checks should be applied on the server side before attempting to do the action and not just when showing the menu.
#1 Updated by Phillip Davis over 4 years ago
https://github.com/pfsense/pfsense/pull/1957 should check for this case of the user manually messing with the $POST value of "id" and display an input error message rather than deleting a system user.
I guess something similar for the Groups tab will cover that case also.
#4 Updated by Phillip Davis over 4 years ago
System User Delete checks committed https://github.com/pfsense/pfsense/commit/8d070c072ec2b662f6a235cc3779fb62835dd647
System Group Delete checks committed https://github.com/pfsense/pfsense/commit/d7e5efa46134e738ae62e5c387c1e92fd803124d
This should be fixed in a RELENG_2_2 snapshot built after the time of this post.
@Fernando - please test with these changes and confirm that these system users and groups are now protected from deletion.