Help get this topic noticed by sharing it on Twitter, Facebook, or email.
I’m frustrated

Admin CP Password Control

Ok this really isn't something that is broken, but I believe it to be a bad idea. You need to take the change password feature off of the root admin account in the admin cp. All someone has to do is have one person's password and they can ruin the entire site and no one can do a thing about it due to the fact they can edit everyone's passwords...honestly that is the dumbest thing on the admin cp that I can think of...Or at least make it a root account function, but giving everyone access to it is dumb...
1 person has
this problem
+1
Reply
  • I'm guessing that you've had this problem.

    It is best never to give out a password to your forum's root admin and always make it cryptic with alpha numeric so that no one can "guess" your password.

    If you need help let us know, I'm sure that Chris would be happy to help you sort out the problem if there is one.

    Thanks,
    Lissa
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • I don't give my password out, its just that the problem is that you can change anyone's password through the admin cp, and it doesn't matter who, as long as you access to the admin cp, weither you should or not you can. When you edit an user on of the things is change password. The problem is you can change anyone's password and it does not notify them, and if you change the email with the password that person just lost the whole account. I'm saying that the change password feature and the email feature need to be removed from the admin cp all together...that in fact those two things need to be an account feature through the member cp. In all honestly why do the admins need to have the power to do that for other people? I have added a screen shot with the areas I'm talking about in a red box.


    I have also took the time to create another admin account and have it access the original to show what I mean. Now the original is in the root admin group while the other is in a lower admin group with acp access. As you can see by the screen shot that it doesn't matter that you can't change the group cause you can change password plus email allowing you to completely take the account.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Something we see fairly often is a user does not visit a board for some time. Say, several months.
    When they come back they realize that they forgot their password. They try to recover it but then, they have changed ISPs and do not have access to their old email address any more.
    How are they going to recover their account?

    I'm a bit tired, but would allowing the admin to change their email address but not their password work?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • It would if the only problem is that the ability to change the email address is just as bad... Lets say I was an admin on another board, and I was very trust worthy up to this point, when the root admin made me mad in a sense (or something like that). Now I go into the admin cp and edit their accounts, though I cannot de-admin them I could simply just change the email address to my email via the Admin CP and then log out of my account. Now since I didn't change the account password I still don't know it, thus I go to forgot password and have it send me the email for forgetting the password (haven't used it really, so don't know what all you do for it) and thus because I changed the email address to mine if I have to put it in I have it. Thus it would send the email to my email account, not the original address and then I use the link to change the password, thus giving me control of that account, then I login under it and then de-admin the rest and change the password via the password recovery email.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • I see where you are coming from, It is quite the dilemma.

    Chris would a possible solution be to have the RootAdmin's non changable unless contacting the server host ie you or someone who is working for you to do the changes? So that they may access it? With of course a warning of something like 3 day delay warnings?

    What do you think?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Or it could be that you can make it where you have to go through the member cp to change passwords and email. They both require the current password in order to change.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated