Bug or feature: Export subscriber with limited rights exports whole subscriber database

We have several lists with several admins managing their own lists with non-superadmin permission but the permission to edit subscribers. If one of these admins goes to “export subscribers”, he can export the whole database, not just his own list!

Is this a bug or a feature?

Best regards,

Here is my own fix for the moment. I post on every admin page where I want to restrict access to superuser only the following code:

#Restricted area, access only for superadmin

if (!$_SESSION['logindetails']['superuser']) {
  print $GLOBALS['I18N']->get('Sorry, this page can only be used by super admins');

I put this code in the beginning of the files right under:

require_once dirname(__FILE__).'/accesscheck.php';

To restrict the export section to superadmins only, you have to modify the file /lists/admin/export.php

I also applied it to /lists/admin/templates.php (I do not want admins to edit templates)

Best regards,


I think that is a bug. Can you report it (and the fix!) as described here: https://www.phplist.org/development/#bugreport

OK, here it is: https://mantis.phplist.org/view.php?id=17801

Note: My fix is just a hotfix because it disables all ways to export subsribers for an admin with limited permissions. A real fix should allow just the export of assigned list(s).

1 Like