vb.org Archive - Only original admin can modify users in administrator usergroup.

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vBulletin 2.x Full Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=4)

- - Only original admin can modify users in administrator usergroup. (https://vborg.vbsupport.ru/showthread.php?t=34094)

I find that if you have more that 1 admin, it is kinda a uncomfortable feeling to know that they have the power to modify your user information as well as other admins. They can change your status from administrator to just a registered user, as well as others, and take over the board. This can prevent it.

Security is a touchy area, and this is not proven to be 100% secure, so I will not take responsibility for any problems this hack may cause.

In /admin/user.php you need to do the following:

Step 1.
Look for:

PHP Code:


		
			
error_reporting(7);

Below that add:

PHP Code:


		
			
unset($canmodifyadmins);

Step 2.
look for:

PHP Code:


		
			
// ###################### Start edit #######################

if ($action=="edit") {

  $user=$DB_site->query_first("SELECT *,FROM_UNIXTIME(joindate) AS joindate,FROM_UNIXTIME(lastvisit) AS lastvisit,FROM_UNIXTIME(lastactivity) AS lastactivity,FROM_UNIXTIME(lastpost) AS lastpost,

                               avatar.avatarpath,NOT ISNULL(customavatar.avatardata) AS hascustomavatar

                               FROM user

                               LEFT JOIN avatar ON avatar.avatarid=user.avatarid

                               LEFT JOIN customavatar ON customavatar.userid=user.userid

                               WHERE user.userid=$userid");

Below that add the following:

PHP Code:


		
			
if ($user[usergroupid]!=6 or $bbuserinfo[userid]==$user[userid] or checklogperms($canmodifyadmins,1,"<p>Admins are not allowed to edit other admins.</p>")) {

Step 3.
Look For:

PHP Code:


		
			
// ###################### Start do update #######################

Above that add the following:

PHP Code:

Save that file and open /admin/config.php

Look for:

PHP Code:

?>

Above that add the following:

PHP Code:


		
			
$canmodifyadmins = "192";

you can allow others as well by seperating their user id with a comma.
ex.

PHP Code:


		
			
$canmodifyadmins = "192,23,22";

That should do it. Lemme know if you have any problems.

[SIZE=3]This is now updated, should be fully operational!

hmm... looks good. I want to try it. But I don't want to be the first. if anybody else tries this, tell me if it works.

I already had one admin delete another admin because he was teasing him. That wasn't good.

Behind the forums: true stories of ADMIN WAREFARE!~

lol@nafae

Sounds like you need to screen your admins better, TELEK.

I tried to install it and it doesn't appear to work. :(

Just gives me a blank page

hrm, it should work fine, i would try again. If you still can't get it, we need to work out a way to contact each other. It works perfect here.

I installed it too on my webserver and have the same Problem!

I get a blank page if I try to edit any user!
I also set: $canmodifyadmins = "1"; cause?my user id is 1 ;)

Any suggestions??

Maybe you forgott to parse a peace of code here???

Greetings

StarBuG

its a possibility, lemme look it over again. I know it works here on mine, so it must have something missing.

The first step should look like:

PHP Code:


		
			
<?php

error_reporting(7);

// admin hack

unset($canmodifyadmins);

// end admin hack

require("./global.php");



adminlog(iif($userid!=0,"user id = $userid",""));

The Second step should look like:

PHP Code:


		
			
if ($action=="edit") {

  $user=$DB_site->query_first("SELECT *,FROM_UNIXTIME(joindate) AS joindate,FROM_UNIXTIME(lastvisit) AS lastvisit,FROM_UNIXTIME(lastactivity) AS lastactivity,FROM_UNIXTIME(lastpost) AS lastpost,

                               avatar.avatarpath,NOT ISNULL(customavatar.avatardata) AS hascustomavatar

                               FROM user

                               LEFT JOIN avatar ON avatar.avatarid=user.avatarid

                               LEFT JOIN customavatar ON customavatar.userid=user.userid

                               WHERE user.userid=$userid");

// admin hack

if ($user[usergroupid]==6 && checklogperms($canmodifyadmins,0,"<p>You are not allowed to edit other admins.</p>")) {

// end admin hack

  if ($user[coppauser]==1) {

Third Step should look like:

PHP Code:


		
			
  doformfooter("Save Changes");



  }

// admin hack

}

// end admin hack

// ###################### Start do update #######################

The config.php change should look like:

PHP Code:


		
			
// admin hack

$canmodifyadmins = "192";

// end admin hack

?>

Maybe that will help you better understand the changes?

I have made the changes and I?m not a newbie!

I think 3 steps are not heavy to implement!

But it doesn?t work!

I use 2.2.1g!

Maybe this is the Problem!?

AND: The error occours not only if I try to edit an admin also normal users are not displayed!
ONLY blank Page

So the error must be in:

PHP Code:


		
			
// admin hack

  if ($user[usergroupid]==6 && checklogperms($canmodifyadmins,0,"<p>You are not allowed to edit other admins.</p>")) {

 // end admin hack

Greetings

StarBuG

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (14)bbcode_php_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05243 seconds Memory Usage 1,761KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (14)bbcode_php_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: