Comments (2)
Oh my, some of the things that have not been noticed for ages - I was not aware of this error. I'll fix it shortly. Years ago I noticed many people were disabling their admin rights accidentally (another bug) and so I added that to make/keep the primary user an admin (kind of a super admin). I'm unsure if I should remove it completely (instead of fixing it). People are going 15 years now without upgrading (a bit frustrating to be honest but if it works that's great, I guess).
from indexhibit.
My two cents: addressing the accidental self-removal of admin rights in an upgrade step seems misplaced unless it was a widespread issue introduced in a specific release (e.g., a different database upgrade caused it, or it was impossible to submit the user form without de-adminning). I'd remove it completely, myself.
For lockouts caused by user error, a twist on the password reset utility seems more appropriate. Accidentally disabling de-escalating your privileges is basically a variation of the same problem: the user goofed their login somehow, and now we have to resort to extreme measures to regain access.
Even in the examples I presented, though, the fix seems somehow simultaneously too broad and too narrow. It's too broad in that it assumes that the user who installed Indexhibit is and will always be a trusted user. It's too narrow in that if the de-adminning problem affected any user besides 1, it doesn't restore their access.
In some respects, including this script in an upgrade step represents a low-grade security risk. Suppose I intentionally took away user 1's admin privileges, then upgraded the instance. This upgrade step would silently re-escalate their privileges.
from indexhibit.
Related Issues (20)
- There is a CSRF vulnerability that can be reset password of any account HOT 3
- Reflected Cross Site Scripting(XSS)-/ndxzsite/plugin/ajax.php HOT 1
- There are multiple cross-site scripting (XSS) vulnerabilities in the management panel HOT 1
- There is a insecure permission so that we can read any file we want,include config.php HOT 13
- Missing license HOT 3
- There is a file upload vulnerability HOT 2
- PHP 8 compatibility HOT 2
- PHP 8 compatibility? HOT 6
- Is Indexhibit dead? HOT 2
- Last version HOT 9
- columnerdeux-master
- missing dimgs
- Upload Error Abort HOT 5
- Front-end JavaScript libraries with known security vulnerabilities
- Deprecation notices when using Indexhibit with PHP 8 HOT 2
- n/a
- v2.1.6 with PHP 8.0 HOT 1
- Security contact HOT 1
- Can't troubleshoot this lib/chache.php issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from indexhibit.