Announcement

Collapse
No announcement yet.

Major Duplicable Security Hole: Is This a Bug?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Talon3DHQ
    replied
    Originally posted by Fusion
    Admins and Super Mods, yes, I agree. I do not buy that this is how it was intended for regular mods tho. Generally they are assigned to specific forums, elsewhere they are meant to have regular user rights. See where it becomes illogical?
    I see, yes. But, I think this point is moot now as it is very clear that they do not view this as a "flaw", but as "working as intended".

    Talon

    Leave a comment:


  • Fusion
    replied
    Originally posted by tubedogg
    The feature seems pretty logical to me. It says it will hide forums from everyone except mods & admins. If you don't want the forum to be set that way, don't set the option.
    Admins and Super Mods, yes, I agree. I do not buy that this is how it was intended for regular mods tho. Generally they are assigned to specific forums, elsewhere they are meant to have regular user rights. See where it becomes illogical?

    Leave a comment:


  • Talon3DHQ
    replied
    ok, that explains it alittle better anyway. Thank you for that. I did use mystics work around, and it did the trick, so I guess I will just have to remember that for the next upgrade. Thanks for your time and help on this guys.

    Talon

    Leave a comment:


  • tubedogg
    replied
    The reason it only does this for moderators is simple: moderators are not required to be in one specific usergroup. Administrators and Super Moderators *are*. Since moderators do not have to be in one specific usergroup, individual permissions are assigned to them to mimic the effect that would occur if all moderators were in one usergroup.

    Leave a comment:


  • Talon3DHQ
    replied
    Originally posted by tubedogg
    .The feature seems pretty logical to me. It says it will hide forums from everyone except mods & admins. If you don't want the forum to be set that way, don't set the option.
    Here's an analogy for that. PATIENT="Doc, it hurts when I do this". Doctor="Then Don't do that". Did that solve the problem? Well, no, not really, because the problem wasn't fixed, it was just avoided. See what I mean?

    Originally posted by tubedogg
    It's like saying you want to change the way the Submit Reply button works because it doesn't preview the message first. If you want to preview the message, use the preview button, not the submit button.
    no offense tubbdogg, But you are comparing apples and oranges.

    My point again is this. It does this ONLY for the moderators, not the admins, and not the Super moderators. Instead of someone only having to change ONE permission to restrict acces, they have to manually change every single moderator. If I want to restict access for all supermoderators, or even admins, all I have to do is change one permission, and BOOM, it's done. I have 20 modertors myself, so that is a pain to do manually, but I can't imagine how much a pain it is for sites with more than that.

    I am not trying to argue with the Jelsoft team on this. If you all feel this is not an issue, that is fine, but I think that it should be something that perhaps is in the "Instructions" as an option to turn off or on, much like that "aol/icq" feature which requires a simple modification to turn on.

    Talon

    Leave a comment:


  • tubedogg
    replied
    The feature seems pretty logical to me. It says it will hide forums from everyone except mods & admins. If you don't want the forum to be set that way, don't set the option.

    It's like saying you want to change the way the Submit Reply button works because it doesn't preview the message first. If you want to preview the message, use the preview button, not the submit button.

    Leave a comment:


  • Fusion
    replied
    Originally posted by tubedogg
    There's a simple way to avoid this - don't set the forum to private, and change permissions for your other groups to not be able to view/post/etc. in it.
    Uhh, Kevin.. Doesn't that void the whole point of having a private-forum option? Seems to me that it would be better to actually correct the feature, make it more logical, rather than going around it like you suggested.

    Leave a comment:


  • tubedogg
    replied
    I'm pretty sure this has not been changed in vB3.

    There's a simple way to avoid this - don't set the forum to private, and change permissions for your other groups to not be able to view/post/etc. in it.

    Leave a comment:


  • Talon3DHQ
    replied
    Ok, thats great. Thanks alot. I will try this tonight when I get home from work.

    Thanks!

    Talon

    Leave a comment:


  • Michael König
    replied
    Just remove / comment out this part in admin/forum.php:
    PHP Code:
        $mods=$DB_site->query("SELECT DISTINCT moderator.userid FROM moderator,user WHERE moderator.userid=user.userid AND user.usergroupid<>6 AND user.usergroupid<>5");
        if (
    $DB_site->num_rows($mods)) {
          while (
    $mod=$DB_site->fetch_array($mods)) {
            
    $accessto[] = $mod['userid'];
          }
          while ( list(
    $key,$userid)=each($accessto) ) {
            
    $DB_site->query("INSERT INTO access (userid,forumid,accessmask) VALUES ('$userid','$forumid',1)");
          }
        } 
    Mystics

    Leave a comment:


  • Talon3DHQ
    replied
    Originally posted by smachol
    I don't disagree. I do believe this is fixed in vB 3.0.
    ]

    Ok, that is good to hear, but I suppose asking for it to be corrected in version 2.2.5 or .6 is too much? I guess I will have to try the "access table" thing mentioned ealier in this thread

    Leave a comment:


  • Steve Machol
    replied
    I don't disagree. I do believe this is fixed in vB 3.0.

    Leave a comment:


  • Talon3DHQ
    replied
    Originally posted by smachol
    This has been the default behavior ever since I can remember.
    if that is the case, then no offense to Jelsoft, but it is just silly. Why should I have to go to the EACH AND EVERY moderator and MANUALLY set their forums acces to "DEFAULT" when I have already set the permissions to the forum in question to NOT allow ANY moderators in? The permissions should take care of that, but instead I have to set permission AND set access masks manually for just this one group. Why doesn't it do this for just Moderators, and not Super Moderators, or even Admins? Sorry, it really just doesn't make any sense to me.


    Talon
    Last edited by Talon3DHQ; Mon 24th Jun '02, 12:02pm.

    Leave a comment:


  • Steve Machol
    replied
    Originally posted by Talon3DHQ
    When you create a private forum, it automatically sets anyone in the moderators group's ACCESS MASKS to "YES" for that forum, and you have to MANUALLY set them back to default in order for the permissions to work correctly.
    This has been the default behavior ever since I can remember.

    Leave a comment:


  • Talon3DHQ
    replied
    I can honestly say that this is not a "hack" problem. I had the same problem, and still do, and would really appreciate finding out how others corrected this. Here is the EXACT problem:

    When you create a private forum, it automatically sets anyone in the moderators group's ACCESS MASKS to "YES" for that forum, and you have to MANUALLY set them back to default in order for the permissions to work correctly. This was happening on my forum before any hacks were installed, and still is, from versions 2.2.1 all the way to 2.2.5.

    Did anyone figure out how to correct this yet?

    Talon

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X