Delete user permission allows deleting Administrator

When I assign a user the Edit/Delete permission over users, it allows the user to delete all users including Administrator user. I don’t think that should happen.
One thing is regular users, like students, staff, etc. But if someone deletes the administrator user … well. nobody will be able to administer the system,
Is it possible to allow a non-administrator user to manage common users including deleteing them, but deny administration and deletion over the Administrator user.

For example, I noticed that that user can’t change the password of the administrator user, but it sems to be able to delete it. I got to the point it asks you for the word DELETE but I didn’t write it just in case it allowed me to really delete the user.

Thank you!
Warm regards

Or … in case it is not possible to prevent someone with Delete User persmission from deleting the Administrator user, please what could be the workarounds for being able to restore it with full capabilities, without affecting the rest of the database.

Thank you!!!

Hi Ricardo. The permission system does enable separating out the Manage Users permission so users cannot delete users, but only edit them. Generally, there are very few reasons for deleting a user at all, because even when a user leaves the school, you would retain their user account with the Left status. For this reason, I would recommend that only Admin have the Manage Users_editDelete permission, which yes, would allow admin to delete other admin accounts, but these should already be the highest trusted user level in your system. Hope this helps!

Hi Sandra,
I hope you are fine!

The case is probably not the most common, but it happens.
What happened is that the person in charge of adding students, teachers, and staff did something wrong and many of the users and staff ended duplicated, so they have to be deleted.
I, the administrator, don’t want to undertake that task; instead, I would like that same person to do it and in the process understand what he did wrong and learn how not to do it again.
But I don’t think I shouldn’t give him the ability to delete me and other power users from the system. However, given what you said there is no intermediate option.
So I will probably give him permission to delete … and just pray that this time things go well :slight_smile:

Thank you!!
Warm regards

Hi Ricardo, understood. Not a common case, but I can see where it isn’t ideal for admin to do this in this case. For a one-off solution, you could edit your modules/User Admin/user_manage_deleteProcess.php file and change line 34 to add && $gibbonPersonID != '0000000001' to prevent deletion of the admin account. Hope this helps.

Hi Sandra,
I hope you are fine!!

I tested it with a “bkp admin user” I’d created just in case, and it still allowed me to delete it. (I used that user’s gibbonPersonID in the condition, instead of the 000…1)

Then I looked at the condition, and my guess was it would raise the error when the condition was met,
Then, I just changed the && for || and the != for == and it worked like intended. Something like “when the following condition is met then raise the error, else continue with the deletion operation”:

if ($gibbonPersonID == ‘’ || $gibbonPersonID == ‘0000000001’) {
$URL .= ‘&return=error1’;
header(“Location: {$URL}”);
delete …

Thank you very much!!
Warm regards

Thanks Ricardo! Yes, now that I read it again, the || is definitely needed for that conditional statement. Well caught and thanks for sharing your solution :+1:

1 Like