Feature #5850
open
Limit "WebCfg - System: User Manager page" privilege to non-admins and non-admin groups
Added by Timon Esser almost 9 years ago.
Updated almost 8 years ago.
Category:
User Manager / Privileges
Description
A user with the "WebCfg - System: User Manager page" privileges can asign himself and others to the admin group and gain admin rights this way. It would be nice to limit the "WebCfg - System: User Manager page" to privilege to manage only non-admins and certain groups. While having the ability to add himself to the admin group this privilege makes no sense, if im not wrong.
- Tracker changed from Todo to Feature
- Target version deleted (
Future)
Timon Esser wrote:
privilege to manage only non-admins and certain groups.
That wouldn't make any sense as there are lots of other privileges that the user could add to those "non-admin" groups to make the members effectively admin/root.
I guess the system could limit a user1 with "WebCfg - System: User Manager page" privileges to be only able to grant privileges that they already have themselves. That way they could create new users that could only do what they can already do themselves.
Then you could let user1 delete privs from other users that are in the set that held by user1. And delete users that contain only the privs held by user1.
For users that have more privs than user1, maybe user1 should be able to delete privs that match those held by user1, or maybe user1 should not even be able to see/edit users that are more privileged than user1.
There are lots of possible requirements here. The question is, is there a set of requirements that would be generally useful to a reasonable number of installs, and can be implemented without leaving security holes in the advertised functionality.
Also available in: Atom
PDF
Updated by 
Updated by Kill Bill 
Updated by