disallow non-Superusers to manage admins

[michield]

Description

non Superusers should not be allowed to manage admins, even when they have "config" permissions

Related Issue

Screenshots (if appropriate):

[michield]

Hmm, how annoying the CI fails again.

[bramley]

This looks ok. It is removing the ability for an ordinary admin to edit/view their own admin details though. I don't use ordinary admins so don't know how important that might be. Perhaps that can be put back later but removing the current ability to change their own privileges.

[bramley]

This is adding an extra page to the Config menu. Currently that menu does not include the admin page.

[michield]

Yes, but that's not a big issue.

[bramley]

When you login the displayed Config menu does not include these items. They are shown only when you display a page after logging-in. I noticed that for other menu items in the past but never tried to figure out why.

The reason is that these statements are run before the login action has been processed, so the admin isn't a super user at that point.

One way to fix this is to redirect on successfully logging-in. I can do a pull request for that.

[michield]

Interesting, I haven't noticed that.

[michield]

Ah, interesting, that must be the reason that the CI jobs failed. First time you login, it's not there. I've commented them out for now, but once you have a PR to fix that (or I) we can add that again

[bramley]

My idea of redirecting on successful login works for the browser but not for the REST API plugin.
Firstly, the client needs to have enabled CURLOPT_FOLLOWLOCATION which currently isn't needed, so there is a possibility of breaking a client. The sample client doesn't do that, https://github.com/michield/phplist-restapi-client

Returning a 302 code will make the client request the page again using GET, but the REST API plugin treats a GET as a documentation page request.
Returning a 307 code will make the client request the page using the original method of POST. This does work when CURLOPT_FOLLOWLOCATION is enabled.

[michield]

The reason it takes two page loads is that accesscheck.php defines the "isSuperuser" and it only gets included in home.php after the header (with the menu) is generated. In a way, I'm puzzled it works at all, as isSuperuser should really be at a higher level. And then it does get set on first login in https://github.com/phpList/phplist3/blob/main/public_html/lists/admin/index.php#L319

Ah, but then "connect.php" has already been included, so the menu additions won't get added at that stage. So, I'll move that down a bit.

[bramley]

Remove this.

[michield]

Ah, yes, that's oversight.

[michield]

removed

[michield]

This looks ok. It is removing the ability for an ordinary admin to edit/view their own admin details though. I don't use ordinary admins so don't know how important that might be. Perhaps that can be put back later but removing the current ability to change their own privileges.

Yes, for now this resolves a security issue where a sub-admin can update the details of a superuser, which is bad. We can add that later again.

[michield]

This commit will make the items appear in the menu on first load: 774a075

[bramley]

Yes, that has fixed the problem. Now the four menu items appear after logging-in.

[phpListDockerBot]

This pull request has been mentioned on phpList Discuss. There might be relevant details there:

https://discuss.phplist.org/t/3-6-14-release-candidate-ready-for-testing/9109/1

[phpListDockerBot]

This pull request has been mentioned on phpList Discuss. There might be relevant details there:

https://discuss.phplist.org/t/phplist-3-6-14-released-security-release/9158/1