Download & Extend

document security threat of permission 'administer users '

Project:RoleAssign
Version:6.x-1.x-dev
Component:Documentation
Category:feature request
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

I recently stumbled upon the fact that users with permission 'administer users' can administer *all* users, including admin. So, if you are setting up a site for a client and trying to give them ability to create users, you are also giving them the ability to change the admin password or worse, completely delete the admin user (user 1).

This issue is documented more here:

Since this module requires that some users be given the 'administer users' permission, it would be helpful to some kind of warning and advice. How about adding

Warning: granting 'administer users' permissions to users will allow them to modify the admin password or even delete the site administrator account. We strongly encourage you to use the User Protect module to prevent this.

to the project page and module help text?

Comments

#1

Version:master» 6.x-1.x-dev
Status:active» fixed

Committed to the -dev version.

#2

Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

#3

This security threat has been fixed in 7.x-1.0-beta2 and the corresponding 6.x-1.x-dev version.

nobody click here