idea for a moderator quick fix idea for a moderator quick fix
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

idea for a moderator quick fix

Started by sporkit, August 07, 2004, 12:49:46 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

sporkit

August 07, 2004, 12:49:46 AM
hello.

although my php skills are limited i was thinking there might be an ugly little way to solve the moderator problem (at least untill its actually put in the next realease).  if im not mistaken (since i integrated my board with phpbb) a user needs to be an admin on my board to be an admin in cpg.  this is determined by the users group.
i was thinking why not just trick the board into giving the proper permissions then denying what you dont what your mods to see based on usernames.

basicly you could create a file called cpg_mods.php and include it from the template.htm

Code Select
               

{MY_MODS}

          <table width="100%" border="0" cellspacing="0" cellpadding="0">
                       <tr>
                                <td><a href="index.php"><img src="themes/classic/images/site_logo.png" alt="" border="0" /><br /></a></td>
                                <td width="100%" align="center">
                                        <h1>{GAL_NAME}</h1>
                                        <h3>{GAL_DESCRIPTION}</h3><br />

then the board will get a list of names in cpg_mods.php and find if that user gets to be an admin.

Code Select


if ( $[user_name] == "modGuyOne" )  // check if the current user is one of your moderators
{
     $[user_group] = 1;    // if so then make him an admin
}


if ( $[user_name] == "modGuyTwo" )  // check if the current user is one of your moderators
{
     $[user_group] = 1;    // if so then make him an admin
}



so now the board is giving modGuyOne and Two a list of admin privledges without making them an admin on my phpbb board.

then i was thinking if i didnt want my mods to have access to config.php i could just only let myself get there.  in mod.php

Code Select

unless ( $[user_name] == "sporkit" ) { exit; }


similar code could aslo controll the display of the admin controlls.  if user_name is equal to sporkit then display the list of admin controlls otherwise dont.  now obviously im no expert at security and this definatly has its flaws.  most importantly making sure that somebody doesnt grant themselfs admin level by putting ?user_group=1 in their url or something.

before any of this actually works though i suppose i would need to know how to grab the username and status of the currently logged in user.  does anybody know how to do that?  plus for all i know this just might not work period.  its just me trying to think of a way to solve this problem till its put out officially with cpg.

Joachim Müller

#1
August 07, 2004, 08:55:56 AM
there used to be a mod around for cpg1.2.1 that had a similar approach: it just hid the admin controls for "moderators". Any moderator who knows his way around could gain acces to nearly everything. Currently, Coppermine just checks admin permissions all over the place with
Code Select
if (!GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);Although you could use this approach if you trusted your moderators and you only wanted to avoid they accidentally did something silly; you're not recommended to use this mod. I wouldn't go for individual user name checking, but I'd rather check if the logged-in user is part of a moderator group.

GauGau
Print
Go Up Pages1
User actions