ACL system allows admin users to add themselves to roles of greater seniority (2.50)

Sorry about that.

I edited the site map to restrict access to the “Customer Roles” dropdown to Administrators only and that works but the issue is the customers  created “Test Customer” with a role of “TestSales” still has access to change role, other user roles and view other available roles. The only permission not allowed is Administrator but still able to change other roles with other permissions. Admin area.Manage ACL is also unchecked.
Steps listed below:

Sorry if it’s confusing.

1. Access "Customer Roles" with Administrator role
2. Create Customer Role "TestSales"
3. Access "Access Control List" with Administrator role
4. Give "TestSales" access to "Access admin area:  Manage Current Carts, Manage Customers, Manage Discounts"
5. Give "TestSales" access to all "Public store permissions"
6. Save
7. Create Customer "Test Customer" and give role of "TestSales" then save.
7. Logout of Administrator role
8. Login as "Test Customer"
9. Access Customer roles, change customer roles of “TestSales” to roles with  some and all permissions. Change other users permissions.
10. Only role not available is Administrator but roles with all the same permissions are available.

Josephsawyer wrote:
That's right. It's by design. We do no validation only for Administrator  only. It'' snot possible to validate other roles with same permissions.

a.m. wrote:

Even if lets say created Role1 has 4 permissions + the manage customers and Role2 has 15 permissions + manage customers there is nothing stopping Role1 from adding Role2 to his permissions?


aladino wrote:

This is the same issue I am having.


a.m. wrote:

How do I apply this fix to version 3.30 or was it for 2.50 only?

Again sorry in advance if I'm making it more confusing or posted incorrectly. I'm new to the nopCommerce community.

Thanks again.

Found it in version 3.00 Under Access Control List "Admin area. Manage Customer Roles" Trying to add this code to 3.30 or just use 3.00. I like to option of not allowing them to change user roles but still have access to place a invoice order for a customer.

I think there's a flaw in the design, I want to grant permission for a user to add/remove other users, now this user can give himself permission to role2 and get access to a lot more features! This is really a security flaw!
If roles were defined based on a hierarchy structure these problems could have been avoided.

Why was the Admin area. Manage Customer Roles permission removed from later versions?

Is there a way to implement it again?

This is needed, major flaw in my multi store website. does anyone know of a plugin to add this back?

Fixed myself by adding display:none to the customer roles field when not logged in as system role admin

Hi,

I have a system with built in administrator. Now i had created another administrator for my commerce manager /store manager. but when i give access to Admin area. Manage Customer, that store manager is able to edit the super admin account, password and all details.

I think super administrator account can be edited by super admin only.

Is there any fix (or a plugin to fix) for this issue?

I need to give the store admin the ability to manage users but I cannot let him add himself to the Administrators group and play with other plugins/system configurations!
It is a security requirement, I think.

I am on 4.1 version.

Thank you.