[BlueOnyx:25354] Re: 5210R - Additional Server Admin can create Site admins but cannot delete themn afterwards - fixed

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Thu Mar 10 10:32:55 -05 2022 

Hello Michael,

thank you very much fort he investigantion and the fix.
I will try tomorrow or on Monday.

Best regards,
Dirk

 
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 


 
-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Mittwoch, 9. März 2022 02:37
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:25351] Re: 5210R - Additional Server Admin can create
Site admins but cannot delete themn afterwards - fixed

Hi Dirk,

> I have created an additional server admin on one server. Under 
> Expert-Mode, I have given this user all the rights that are available
there.

I just tested this on a 5209R and 5210R. Server Administrator account.

No privileges from the "Expert Settings" tab.

Under "Basic Settings" he has the following set:

- "Virtual Site Management" - ticked
- "Site DNS Management" - ticked
- "Virtual Site Management: Additional rights": All given

Under "Site Management" one (or more) Vsites are owned by *this*
server-admin.

This was done via "Site Management" / <Vsite> / "General Settings" by
choosing the name of the server-admin in the "Owner" entry and saving.

This server-admin can then see his owned Vsites (and only these) and can
add/modify/delete users. Including siteAdmins. And he can create as many
Vsites (and Users) as he has been allowed to.

I also tested that he can delete regular users and siteAdmins of owned
Vsites. That worked without issue.

---

Then I checked if a server-admin with 'systemAdministrator' privileges (from
the "Expert Settings"-tab), but without "Virtual Site Management" 
from the "Basic Settings"-tab can delete users of a Vsite.

And you're right: THAT he couldn't.

This was an oversight. There was a somewhat overzealous protection built in,
that checked if the server-admin was of the same group as the user he tried
to delete. A server-admin isn't necessarily a member of the same group as a
user - even with 'systemAdministrator' privileges granted. Because he
doesn't need to be.

I made an exception to that check so that we no longer use it of the logged
in user has 'systemAdministrator' privileges and that should fix your issue.

Updated base-user-* RPMs have been published to the 5210R YUM repositories.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20220310/99e398aa/attachment.p7s>

More information about the Blueonyx mailing list