Admin member "bug"

[Tim C]

Why is another administrator able to change the admin member to let's say a regular member?

Please don't give me an answer in the form of "But you have to select who to make admin" because sometimes, arguments do happen and people tend to do idiotic things.

I know you can change it back with phpMyAdmin, but there should be a security measure there to prevent this from happening.

Just thought I'd let you guys know

[Jeff Lewis]

Well, how do you expect to change an admin to something else? Afterall, you can then download the handy dandy admin restore tool I wrote

[Tim C]

it just might be a good idea to not let the "head" admin (in other words the one with the admin username) be changed to something else  

[Joseph Fung]

it just might be a good idea to not let the "head" admin (in other words the one with the admin username) be changed to something else  

We deliberately removed anything special about the admin user because we felt it was dumb that it was different from the others.

[Tim C]

 

[Jedi~]

I agree with Tim on this, the first admin shouldn't be able to be changed, like Gold.

[Tim C]

This shouldn't be a mod, this should be a standard  

[Jeff Lewis]

I don't agree and neither did Joseph when we discussed it. I think people should use better judgement who they assign admin rights to if they are that worried

[Tim C]

Ok, let's say that there's a community, and the admins have a stupid fight. and one of them puts aside the "headadmin".
No-one knows when to expect something like this

[Jedi~]

He's got a point. Although it doesn't look like it'll be standard I'll see about writing a mod for it later.

[groundup]

I agree with Jeff & Joseph

[Chris Cromer]

Well depending on the situation it might be a good idea to have it like that... then in other situations it would be handy if the main admin could not remove his admin status...

I seem to recall locking myself out of my admin center because of this.

About 5 days later I leared how to use phpmyadmin and gave myself the admin status back.

[Joseph Fung]

What we'd considered as a suitable solution (which won't be implemented in any 1.x code, but rather for 2.x code) was to allow any one specific administrator to be set as a "head" admin.

This administrator can not be removed or deleted by any other administrators, and his position can only be reliquished - not taken away.  i.e. the head admin can either remove his head admin status (leaving no one as head admin - anyone could then take it over) or assign someone else as the head administrator.

The reason we originally removed anything special about the 'admin' user is because many of the people originally working on this project - Jeff and myself include - felt it was ridiculous that this unimportant username should be allocated special rights.  The people I am talking about did not use the admin user for administrative duties, they simply used their own user.

In addition to this - we're not going to make anything special about the "first admin" as all of the Y1G way of ensuring security in this method was too rigid.

Our method is far more flexible - and while yes, it allows you to shoot yourself in the foot, exercise a bit of intelligence, and either remove administrative rights from someone if you anticipate a power-struggle, or backup so you can restore your user if something does happen