Creating new users role - a security risk?
|Reported by:||CrazySerb||Owned by:|
|Component:||Security||Keywords:||user roles, group levels|
Ok, I've noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:
- list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)
- edit/delete all users (which is even more insecure, as this way they can simply "upgrade" any of the existing users to admins with no problem)
- add new users with any roles assigned to them, even administrator role.
Could that be fixed, so that users in group with a level of 7 can't see any of the other groups above level 7, and can't create new/edit existing users and assign them any role higher than 7, for example?
Otherwise, this is a major security risk for anyone allowing any users in groups less than administrator to administer other users.