Non-admin users with "Moderate users" permission can suspend admins.

[JansonChe]

Description

I have a user group called Manager that is allowed to add new users, assign them to a group called "Editor" with less permissions, as well as suspend/un-suspend them ("Moderate users" permission). Now I have two things that are seem a little strange. But the first issue is by far the more critical one.

Issues:

• Manager (non-admin user) can suspend admin users. That way the admin is locked out of the CP.
• According to the Manager group permission they should be able to assign users to the Editor group only. Instead they are able to assign users to both Editor and their own Manager group.

Expected:

• Manager (non-admin) should be able to suspend and un-suspend non-admin users only, they should not be able to suspend admins.
• Manager should be able to create new users and assign them to the Editor group, but not to the Manager group.

I'm not sure if this is a bug or just how it is meant to work, but it seamed a little bit weird that an admin could be suspended by a non-admin.

Thanks a lot for your help :)

Steps to reproduce

1. Create a User Group called Manager.
2. Activate the following permissions, especially "Moderate users":
   
3. Assign a non-admin user to the Manager group.
4. Log in as that user and go to the User/Admins section of CP.
5. Select an admin user and suspend the user through the actions dropdown.
6. Try to login as the suspended admin in a private window. -> Admin is now locked out by a non-admin user.

For the second problem:

1. Add a new user using the "Manager"-user.
2. Assign user groups -> "Manager" is available and assignable even though it's not checked in the permissions list of the "Manager" group.

Additional info

• Craft version: 3.7.30.1
• PHP version: 8.0.9
• Database driver & version: MySQL 8.0.24
• Plugins & versions:
  "carlcs/craft-redactorcustomstyles": "3.0.4",
  "craftcms/cms": "3.7.30.1",
  "craftcms/feed-me": "4.4.1.1",
  "craftcms/redactor": "2.8.8",
  "ether/seo": "3.7.4",
  "mmikkel/cp-field-inspect": "1.2.5",
  "nystudio107/craft-twigpack": "1.2.15",
  "ostark/craft-async-queue": "2.3.0",
  "sebastianlenz/linkfield": "1.0.25",
  "spicyweb/craft-neo": "2.12.3",
  "verbb/field-manager": "2.2.4",
  "verbb/knock-knock": "1.2.16",
  "verbb/super-table": "2.7.1",
  "wrav/oembed": "1.3.13"

[timkelty]

@JansonChe for the first issue – I can't reproduce…as expected, I get the error: Only admins can suspend other admins.

Can you try disabling all plugins: 'disabledPlugins' => '*', and see if the issue persists?

To help further, could you send your composer.json, composer.lock, config/ folder, and database dump to [email protected]?

[timkelty]

@JansonChe as for the second issue, this is actually working as expected, while maybe a bit awkward in this case.

Currently, Craft will always allow you to assign users to groups the user themselves are in: #2087

This is being considered for a change in Craft 4, to make it clearer in use-cases like yours.

[JansonChe]

@timkelty Thanks for clarifying the second issue. :)

Regarding the first issue:
I've tried disabling the plugins, but it didn't help. Then I've created a new project using Craft Nitro to test if the issue would also appear on a fresh project and ran into the same problem. I've sent you an email with the requested files for further investigation.

Thanks a lot for you help! :)

[brandonkelly]

The first issue (non-admins able to suspend admins) is now fixed for the next release (#10460).

The second issue (confusion over group assignment permissions) is resolved for Craft 4, which will drop the “Assign user groups” permission – which allowed users to assign groups they themselves belonged to – in favor of always requiring group-specific permissions (bca8c37).

[brandonkelly]

Craft 3.7.32 is out now with the suspend fix.