We have several lists with several admins managing their own lists with non-superadmin permission but the permission to edit subscribers. If one of these admins goes to “export subscribers”, he can export the whole database, not just his own list!
Is this a bug or a feature?
Best regards,
sd3pk3
Here is my own fix for the moment. I post on every admin page where I want to restrict access to superuser only the following code:
#Restricted area, access only for superadmin
if (!$_SESSION['logindetails']['superuser']) {
print $GLOBALS['I18N']->get('Sorry, this page can only be used by super admins');
return;
}
I put this code in the beginning of the files right under:
<?php
require_once dirname(__FILE__).'/accesscheck.php';
To restrict the export section to superadmins only, you have to modify the file /lists/admin/export.php
I also applied it to /lists/admin/templates.php (I do not want admins to edit templates)
Best regards,
sd3pk3
I think that is a bug. Can you report it (and the fix!) as described here: https://www.phplist.org/development/#bugreport
OK, here it is: https://mantis.phplist.org/view.php?id=17801
Note: My fix is just a hotfix because it disables all ways to export subsribers for an admin with limited permissions. A real fix should allow just the export of assigned list(s).