I find that if you have more that 1 admin, it is kinda a uncomfortable feeling to know that they have the power to modify your user information as well as other admins. They can change your status from administrator to just a registered user, as well as others, and take over the board. This can prevent it.

Security is a touchy area, and this is not proven to be 100% secure, so I will not take responsibility for any problems this hack may cause.

In /admin/user.php you need to do the following:

Step 1.
Look for:
error_reporting(7);

Below that add:
unset($canmodifyadmins);

Step 2.
look for:
// ###################### Start edit #######################
if ($action=="edit") {
$user=$DB_site->query_first("SELECT *,FROM_UNIXTIME(joindate) AS joindate,FROM_UNIXTIME(lastvisit) AS lastvisit,FROM_UNIXTIME(lastactivity) AS lastactivity,FROM_UNIXTIME(lastpost) AS lastpost,
avatar.avatarpath,NOT ISNULL(customavatar.avatardata) AS hascustomavatar
FROM user
LEFT JOIN avatar ON avatar.avatarid=user.avatarid
LEFT JOIN customavatar ON customavatar.userid=user.userid
WHERE user.userid=$userid");


Below that add the following:

if ($user[usergroupid]!=6 or $bbuserinfo[userid]==$user[userid] or checklogperms($canmodifyadmins,1,"<p>Admins are not allowed to edit other admins.</p>")) {



Step 3.
Look For:
// ###################### Start do update #######################

Above that add the following:
}

Save that file and open /admin/config.php

Look for:
?>

Above that add the following:
$canmodifyadmins = "192";

you can allow others as well by seperating their user id with a comma.
ex. $canmodifyadmins = "192,23,22";

That should do it. Lemme know if you have any problems.

[SIZE=3]This is now updated, should be fully operational!

hmm... looks good. I want to try it. But I don't want to be the first. if anybody else tries this, tell me if it works.

I already had one admin delete another admin because he was teasing him. That wasn't good.

Behind the forums: true stories of ADMIN WAREFARE!~

lol@nafae

Sounds like you need to screen your admins better, TELEK.

I tried to install it and it doesn't appear to work. :(

Just gives me a blank page

hrm, it should work fine, i would try again. If you still can't get it, we need to work out a way to contact each other. It works perfect here.

I installed it too on my webserver and have the same Problem!

I get a blank page if I try to edit any user!
I also set: $canmodifyadmins = "1"; cause?my user id is 1 ;)

Any suggestions??

Maybe you forgott to parse a peace of code here???

Greetings

StarBuG

its a possibility, lemme look it over again. I know it works here on mine, so it must have something missing.

The first step should look like:
<?php
error_reporting(7);
// admin hack
unset($canmodifyadmins);
// end admin hack
require("./global.php");

adminlog(iif($userid!=0,"user id = $userid",""));

The Second step should look like:
if ($action=="edit") {
$user=$DB_site->query_first("SELECT *,FROM_UNIXTIME(joindate) AS joindate,FROM_UNIXTIME(lastvisit) AS lastvisit,FROM_UNIXTIME(lastactivity) AS lastactivity,FROM_UNIXTIME(lastpost) AS lastpost,
avatar.avatarpath,NOT ISNULL(customavatar.avatardata) AS hascustomavatar
FROM user
LEFT JOIN avatar ON avatar.avatarid=user.avatarid
LEFT JOIN customavatar ON customavatar.userid=user.userid
WHERE user.userid=$userid");
// admin hack
if ($user[usergroupid]==6 && checklogperms($canmodifyadmins,0,"<p>You are not allowed to edit other admins.</p>")) {
// end admin hack
if ($user[coppauser]==1) {

Third Step should look like:

doformfooter("Save Changes");

}
// admin hack
}
// end admin hack
// ###################### Start do update #######################


The config.php change should look like:
// admin hack
$canmodifyadmins = "192";
// end admin hack
?>

Maybe that will help you better understand the changes?

I have made the changes and I?m not a newbie!

I think 3 steps are not heavy to implement!

But it doesn?t work!

I use 2.2.1g!

Maybe this is the Problem!?

AND: The error occours not only if I try to edit an admin also normal users are not displayed!
ONLY blank Page

So the error must be in:

// admin hack
if ($user[usergroupid]==6 && checklogperms($canmodifyadmins,0,"<p>You are not allowed to edit other admins.</p>")) {
// end admin hack

Greetings

StarBuG

wow this would be great, wait dose this just prevent them from chaning your user group? and password?

or dose it restrict them to the whole edit user profile?

I think you should do what I said above, cause many of us have admins, that change the titles and such of our users!

Or maybe you could make it so that they can change anyone, except for the first admin? user Id 1??

it restricts access to everything. They cant even see the information on other admins. The minute they hit the edit link next to the name, it says access restricted. But they still have access to edit regular users. If you want that would be very easy to restrict access to.

its a possibility, i am running an upgraded version of 2.2.1, and i don't know if it works with the german version. If you still have problems you can e-mail me with your AIM, ill add you to my list. my aim = pHaez

Well. I just installed it on 2.2.1 english... :)

When I try to edit ANY user, I get a blank page. The HTML code shows :<html><head>
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
<meta http-equiv="MSThemeCompatible" content="Yes">
<link rel="stylesheet" href="../cp.css">
</head>
<body leftmargin="10" topmargin="10" marginwidth="10" marginheight="10">
</BODY></HTML>

... I absolutely think the code if ($user[usergroupid]==6 && checklogperms($canmodifyadmins,0,"<p>Admins are not allowed to edit other admins.</p>")) { doesn't do the job each of us could expect.

For instance, I think the unset code should went AFTER the global.php import, but it's not enough... as far

:confused:

Thanks a lot.
Bye

Eureka! ;)
Simply I think the condition should be REVERSED !!

As is, it only permits to edit other admins with the right variable !!! ;)

Well. Let's try with if ($user[usergroupid]!=6 or checklogperms($canmodifyadmins,1,"<p>Admins are not allowed to edit other admins.</p>")) {
!!!!

NOW it works ! ;)

.... :p


P.S.: my name is DeMorgan.... DeMorgan's Theorema
Bye

Juhu

Now its working PERFEKT!!

THX to all!!

Greetings

StarBuG

well iono, i helped someone from these boards with exactly what i posted, and it worked perfect.

wow this sounds great man! hey could you update your begging attachment, to the fixes, as I got a little confused along the way.......Thanks and great hack!

Originally posted by pHaez
well iono, i helped someone from these boards with exactly what i posted, and it worked perfect.
Sorry but think is impossible that worked with the wrong condition to execute something...
The only way should be a " } else { " right after your IF {
... :stupid:

Thanks.

well it worked, but then i found some probs last night, when i tried editing users in a diff usergroup.

could you fix it up, and then rerelease it

thanks!

i updated the first post with the fix., it should be "fixed up" now.

Great hack! Installed it, no problems. But can it be set to allow admins to change their own profiles in the admin cp?

yea i'll work on that. prolly get it posted sometime tonight or tommorow.

Originally posted by Arathorn
Great hack! Installed it, no problems. But can it be set to allow admins to change their own profiles in the admin cp?

ok for this, instead of
if ($user[usergroupid]!=6 or checklogperms($canmodifyadmins,1,"<p>Admins are not allowed to edit other admins.</p>")) {

you should add this:

if ($user[usergroupid]!=6 or $bbuserinfo[userid]==$user[userid] or checklogperms($canmodifyadmins,1,"<p>Admins are not allowed to edit other admins.</p>")) {

Thanks, really nice of you. :) It works great now.

Cool!

This works for co-admins trying to edit Admins, but what about making work on all users and groups (i.e., co-admins should not be able to modify any users/groups)

thx

ReN

that is possible, ill write something up.

Originally posted by Renegade
This works for co-admins trying to edit Admins, but what about making work on all users and groups (i.e., co-admins should not be able to modify any users/groups)

thx

ReN if you dont want admins to edit other users, why do you give them access to admin panel? to access the templates and edit them? well if they want to make something bad, they can do it everywhere in admin panel, no need to restrict the access about modifying the users..

How would you extend this to prevent Admins from Deleting other Admins?

The 'remove' option in the Admin CP still works?

Thx
Ten

The 'remove' option in the Admin CP still works?

great hack, but me (original admin) cant edit other admins. that sucks

Is there any way to make it so that one of the "lesser" admins can only edit a certain set of templates / style sets? Basically, I want to give an admin complete control over a certain set of forums, but I don't want him accidentally destroying the templates for the rest of the board.

Sorry, but I left the vbulletin community, so I cant really do much
modding of vbulletin now.

Damn...

I was going to ask 2 things...

1.) Could the "Remove" link be removed?

2.) Could this be targeted to specific users, rather than just general admins...

I would like them to be able to see my profile (unless I blocked them with my hack), but not be able to change my user status, or remove me...

Any help at all?

Satan

I was going to ask the same questions. Also was going to ask Is it possible to make it so that Admin #1 can still edit lesser admins? Thanks for any help. :)

Originally posted by hellsatan
Damn...

I was going to ask 2 things...

1.) Could the "Remove" link be removed?

2.) Could this be targeted to specific users, rather than just general admins...

I would like them to be able to see my profile (unless I blocked them with my hack), but not be able to change my user status, or remove me...

Any help at all?

Satan

hey can we get an all in one file? with all the bugs fixed and stuff? I dunno what to do, and I also think this is a great idea, but you should be able to it with the admin whos userid is 1, cuz hes the one who made the forums..

Your message has been recieved! However, we receive a lot of messages, so we may not respond immediately.
Thanks,
E-Programmer.net Staff