View Issue Details

IDProjectCategoryView StatusLast Update
0002998mantisbtbugtrackerpublic2004-12-11 03:01
Reporterrep002 Assigned Tovboctor  
PrioritynormalSeveritytrivialReproducibilityalways
Status closedResolutionduplicate 
Summary0002998: Logged in user is allowed self delete
Description

If the user has admin authority and deletes the account when he is logged in as himself it allows the operation and then gives an error. Either the delete must not be allowed or if it is then an automatic log off should happen

TagsNo tags attached.

Relationships

duplicate of 0003819 closeddregad delete currently logged user 

Activities

vboctor

vboctor

2003-02-24 21:38

manager   ~0003804

I think the rule should be that a user should not be allowed to delete his/her own account.

jfitzell

jfitzell

2003-02-25 08:45

reporter   ~0003807

Well we have a config option for this:

# --- account delete -----------
# Allow users to delete their own accounts
$g_allow_account_delete     = OFF;

My guess is that we are behaving properly from the My Account section but not in the Manage Users section. We just need to copy the behaviour from one to the other.

jfitzell

jfitzell

2003-02-25 08:48

reporter   ~0003808

I'm actually not sure whether administrators should be limited by this config option but they should definitely be warned that they are deleting their account and asked to confirm. And if they do delete it, we should definitely log them out properly.

rep002

rep002

2003-02-25 14:28

reporter   ~0003816

I think we should extend the config option to admis also. Here is my reason.

I think there should be a check to see if there is atleast one admin left in the system then that admin should not be allowed to be deleted. Because if he gets deleted and there are no other admins left, then it becomes difficult to manage Mantis from within the application. I know there is a way to add an admin user to the tables by going thru the tables directly, but I think it would be elegant to not go thru backdoors. So if we extend the same config option to Admins then we dont have to check each time an admin is deleted whether he is the last one thus eliminating the need for a backdoor approach to add an admin if all admins are deleted somehow.

jfitzell

jfitzell

2003-02-25 18:51

reporter   ~0003820

I'd still rather allow admins to delete themselves the same way as everyone else, and if a user can delete other user's accounts they should certainly be able to delete their own. But adding a check to make sure the last admin account isn't deleted is probably a good idea.

rep002

rep002

2003-02-27 21:00

reporter   ~0003876

So is there any plans to do this in the next version or was it decided that it was a minor thing that can wait ?

Issue History

Date Modified Username Field Change
2003-02-24 21:11 rep002 New Issue
2003-02-24 21:38 vboctor Note Added: 0003804
2003-02-25 08:45 jfitzell Note Added: 0003807
2003-02-25 08:48 jfitzell Note Added: 0003808
2003-02-25 14:28 rep002 Note Added: 0003816
2003-02-25 18:51 jfitzell Note Added: 0003820
2003-02-27 21:00 rep002 Note Added: 0003876
2004-11-10 15:35 vboctor Relationship added duplicate of 0003819
2004-11-10 15:35 vboctor Duplicate ID 0 => 3819
2004-11-10 15:35 vboctor Status new => resolved
2004-11-10 15:35 vboctor Resolution open => duplicate
2004-11-10 15:35 vboctor Assigned To => vboctor
2004-11-10 15:35 vboctor Assigned To vboctor =>
2004-11-10 15:35 vboctor Assigned To => vboctor
2004-12-11 03:01 vboctor Status resolved => closed