Project

General

Profile

Feature #5850

Limit "WebCfg - System: User Manager page" privilege to non-admins and non-admin groups

Added by Timon Esser about 4 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
-
Start date:
02/07/2016
Due date:
% Done:

0%

Estimated time:

Description

A user with the "WebCfg - System: User Manager page" privileges can asign himself and others to the admin group and gain admin rights this way. It would be nice to limit the "WebCfg - System: User Manager page" to privilege to manage only non-admins and certain groups. While having the ability to add himself to the admin group this privilege makes no sense, if im not wrong.

History

#1 Updated by Chris Buechler about 4 years ago

  • Tracker changed from Todo to Feature
  • Target version deleted (Future)

#2 Updated by Kill Bill about 3 years ago

Timon Esser wrote:

privilege to manage only non-admins and certain groups.

That wouldn't make any sense as there are lots of other privileges that the user could add to those "non-admin" groups to make the members effectively admin/root.

#3 Updated by Phillip Davis about 3 years ago

I guess the system could limit a user1 with "WebCfg - System: User Manager page" privileges to be only able to grant privileges that they already have themselves. That way they could create new users that could only do what they can already do themselves.

Then you could let user1 delete privs from other users that are in the set that held by user1. And delete users that contain only the privs held by user1.

For users that have more privs than user1, maybe user1 should be able to delete privs that match those held by user1, or maybe user1 should not even be able to see/edit users that are more privileged than user1.

There are lots of possible requirements here. The question is, is there a set of requirements that would be generally useful to a reasonable number of installs, and can be implemented without leaving security holes in the advertised functionality.

Also available in: Atom PDF