View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010687 | mantisbt | administration | public | 2009-07-06 00:37 | 2009-10-07 14:19 |
Reporter | vboctor | Assigned To | dhx | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0rc1 | ||||
Target Version | 1.2.0rc2 | Fixed in Version | 1.2.0rc2 | ||
Summary | 0010687: Administrators shouldn't be allowed to delete their own account | ||||
Description | If a user deletes their own record, the following errors show up: Warning: 403 in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 735 Warning: 403 in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 735 Warning: 403 in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 735 Warning: 403 in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 735 Warning: 403 in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 735 Warning: user_get_field() for NO_USER in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 725 Warning: user_get_field() for NO_USER in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 725 Warning: user_get_field() for NO_USER in /Applications/MAMP/htdocs/mantisbt/core/user_api.php on line 725 | ||||
Tags | No tags attached. | ||||
has duplicate | 0010713 | closed | vboctor | Deleting current user doesn't redirect to login page |
has duplicate | 0010719 | closed | vboctor | Administrator delete myself and got APPLICATION ERROR #811 |
has duplicate | 0010736 | closed | dhx | Administrator User |
has duplicate | 0005109 | closed | dhx | BugTracker can have (0) administrator ! |
has duplicate | 0003819 | closed | dregad | delete currently logged user |
This needs to be consistent with the current check performed when changing the access level of a user account. Currently when doing that, a check is performed to make sure the last administrator is not demoted below admin_site_threshold. From IRC today: I'll add that administrators should be exempt from condition 2 as they have the ability to change global configuration anyway. To start placing limits on administrators is much like limiting what the root user can do - it doesn't make sense. On my TODO list for 1.2.x :) |
|
Should be all good now. Let me know if you can still reproduce the problems you were having. |
|
MantisBT: master-1.2.x 17ae3fc0 2009-08-07 01:17 Details Diff |
Fix 0010687: don't allow deletion of the last admin account The last administrator account should be protected from deletion or demotion. It is still possible to delete the last administrator account from the database via way of a raw SQL query if an installation absolutely must not contain any admin accounts. |
Affected Issues 0010687 |
|
mod - manage_user_delete.php | Diff File | ||
mod - account_delete.php | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
MantisBT: master fe113064 2009-08-07 01:17 Details Diff |
Fix 0010687: don't allow deletion of the last admin account The last administrator account should be protected from deletion or demotion. It is still possible to delete the last administrator account from the database via way of a raw SQL query if an installation absolutely must not contain any admin accounts. |
Affected Issues 0010687 |
|
mod - manage_user_delete.php | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
mod - account_delete.php | Diff File | ||
MantisBT: master-1.2.x 1d837ae7 2009-08-07 02:24 Details Diff |
Fix 0010687: call auth_logout before user_delete auth_logout() does stuff that requires a valid user ID. When a user attempts to delete their own account, we should first ensure that they're logged out as per normal. Then we can delete their account as a last step before redirecting them elsehwere. The html headers/footers and redirect message have also been adjusted for ease of use, and to ensure that the user doesn't miss the notice about their account being deleted successfully. |
Affected Issues 0010687 |
|
mod - account_delete.php | Diff File | ||
MantisBT: master dce1691b 2009-08-07 02:24 Details Diff |
Fix 0010687: call auth_logout before user_delete auth_logout() does stuff that requires a valid user ID. When a user attempts to delete their own account, we should first ensure that they're logged out as per normal. Then we can delete their account as a last step before redirecting them elsehwere. The html headers/footers and redirect message have also been adjusted for ease of use, and to ensure that the user doesn't miss the notice about their account being deleted successfully. |
Affected Issues 0010687 |
|
mod - account_delete.php | Diff File | ||
MantisBT: master-1.2.x fd39c78b 2009-08-07 03:08 Details Diff |
Fix 0010687: Force use of account_delete when deleting own account The case of deleting ones own account is quite different to deleting the account of another user. Therefore if an administrator wants to delete their own account, account_delete.php should be used instead. It correctly handles logging out and redirection of the administrator who has just deleted their own account. This fix will force account_delete.php to be used in a way that is transparent to an administrator who is deleting their account. For the purpose of this commit message, "administrator" is any user who has an access level equal to or beyond manage_user_threshold. |
Affected Issues 0010687 |
|
mod - account_delete.php | Diff File | ||
mod - manage_user_delete.php | Diff File | ||
MantisBT: master f27b0e9c 2009-08-07 03:08 Details Diff |
Fix 0010687: Force use of account_delete when deleting own account The case of deleting ones own account is quite different to deleting the account of another user. Therefore if an administrator wants to delete their own account, account_delete.php should be used instead. It correctly handles logging out and redirection of the administrator who has just deleted their own account. This fix will force account_delete.php to be used in a way that is transparent to an administrator who is deleting their account. For the purpose of this commit message, "administrator" is any user who has an access level equal to or beyond manage_user_threshold. |
Affected Issues 0010687 |
|
mod - account_delete.php | Diff File | ||
mod - manage_user_delete.php | Diff File |