Moderators can use "Account Types" to become admins

Posted by sza on August 20, 2007 at 4:07pm

Issue Summary

Users who has access to user module for administer users can simply modify account type of ANY user without limit. Even if they can't "view accounttypes" in accounttypes module.

Comments

#1

Posted by rconstantine on August 20, 2007 at 5:42pm

You're talking about the user_edit form, right? Looks like I need to change the permission from "administer users" to "administer access control". Thanks.

#2

Posted by rconstantine on August 20, 2007 at 5:46pm

Status:

active

» fixed

Fixed it. Will be in next upload.

#3

Posted by sza on August 20, 2007 at 6:22pm

You're talking about the user_edit form, right?

Yes.

Fixed it. Will be in next upload.

Ok.

#4

Posted by Anonymous on September 5, 2007 at 7:11am

Status:

fixed

» closed (fixed)

Project:	Account Types
Version:	5.x-1.1
Component:	Code
Category:	bug report
Priority:	normal
Assigned:	sza
Status:	closed (fixed)

Moderators can use "Account Types" to become admins

Jump to:

Issue Summary

Comments

#1

#2

#3

#4