Admins can create another admin with a higher level than them

Question

Admins can create another admin with a higher level than them

Closed this issue 10 years ago · 0 comments

jguy1987 commented 10 years ago

If an admin has permissions to create another admin, they can create another admin that is a higher level than them. This is bad, as the user could just get their level 60 account created with permissions to create new admins, create a new admin at level 99, get the password for that account sent to them and then have complete control over the CP.

The intended behavior is that a user should not be able to create an admin or edit one with a level that is equal to or greater than their own. Hopefully we can get the options to do so removed, but an error would suffice.