Issues with user group accessing dashboard (members and editing them)
I've ran into 2 issues on my site as described within the topic title.
First a quick explanation of my setup/intentions:
I've got a custom usergroup 'subadmin' which won't have full access, but should be able to edit members and also be able to assign them to a usergroup.
Members of this group are assigned to the WP role 'Author'. The wpForo permissions of this group have ALL options checked, except for "Dashboard - Can create forum", "Dashboard - Can edit forum" and "Dashboard - Can delete forum".
Issue 1 (I'd say a bug)
When a member of this group goes to the Dashboard, he will see the Forum section and within it the Members section (though not the User group section).
But when he clicks on the 'Members' link, he will be sent to the dashboard's home instead and gets a "Permission Denied".
When going to the Members section of the front end, he IS able to see and edit all members though (except not deleting them), so this won't be a critical issue for me at the moment (but just wanted to share this bug with you)
Issue 2 (matter of perspective)
Well, from my point of view this is definitely a serious security issue. From your point of view though, I could understand if it's just a 'feature request' 😉
As mentioned I've got this few sub-admins and I do want them to assign specific members to a specific user group. I'm ok with them assigning whoever to whatever they want, however except for the "Admin" group!
At this moment they can make themselves Admin if they wanted to and could make the real Admin himself just a 'guest'. So it would be nice if there was some kind of protection that
- non-admins cannot edit the member profile of an admin
- non-admins cannot assign any user to the Admin user group
thank you for detailed explanation. We're already aware about these issues and are currently working on this. We'll fix all those and make secure logic for non-admins.
Thanks, great work! ?