Moderators can edit same Access View Level [Segurity issue]

5 years 2 months ago #263401 by guillebril
Joomla version: 3.4
Community Builder version: 2.0.8
PHP version: 5.6.2
MYSQL version: 5.5.38


In the CB> configuration> moderation tab I have set the parameters to allow a group called SAFF to be moderators (to be able to edit other profile) (see picture). The problem I have is that STAFF have the access right to also edit another staff. According to the description, moderators can not edit same or higher level of moderators.

If as a moderator (staff) I try to edit a super user I won't be able but, if I try to edit another staff user (Same level) I am able, and I am not supposed to be. I should only be able to edit users with lower access level (e.g. registered) (see picture)


I though about hiding the button using the conditional plugin but that would only hide the button meaning that if a moderator (staff) changes the id number in the URL, then he will be able to edit another moderator, and I do not want that.
Attachments:

Please Log in to join the conversation.

Moderators: beatnantkrileon
Time to create page: 0.371 seconds

Facebook Twitter LinkedIn