Seperate permission for editing access levels

  • Resolved astrogd

    (@astrogd)


    2 years, 11 months ago

    Hey there,
    I found this topic opened a few months ago about changing the editing access level permission to be linked with promote_users. There is a major flaw with that:

    I have a website where I created a role that has lower permission than administrators so that users with the role cannot delete administrator accounts but still create users and promote them to any role with less or equal permissions than the role I added. However due to the promote_users permission being set, the users now can edit the access levels (including their own) allowing them to give them more permissions that they currently have, making the plugin useless for my case.

    Here are two ideas I have to solve this issue:
    – Add a seperate permission rua_manage that is set by default for administrators and will be used to disable access to settings and edit access level capabilities only for this plugin.
    – Don’t allow users to allow permissions they don’t have themselves

    I would prefer the first idea as it will allow for a very customizable experience.

    Have a nice day,
    Lukas

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Joachim Jensen

    (@intoxstudio)

    Thank you for the feedback Lukas. I completely agree that it’s a flaw that potentially could lead to privilege escalation.

    Both of your suggestions are already on the roadmap, and the 2nd one will be included in the next update! It’s scheduled to be released next week.

    Thread Starter astrogd

    (@astrogd)

    Hey Joachim,
    Thanks for the response. Great to hear that this issue is being worked on!
    I’m looking forward to the update.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Seperate permission for editing access levels’ is closed to new replies.