09 July 2005 UPDATE: Changegroup.php reworked for security

Thanks to boy genius KirbyDE :D this file has been reworked to secure that users who aren't already in your selected groups cannot be changed by your mods (with a check on attempted overrides).

To update, simply upload the new changegroup.php file in the zip to your /modcp/ directory. No other changes/modifications need to be made.

Please post if there are any problems!

######################################

08 May 2004 UPDATE: Modified file for error reported in post #16

Please download the new file and replace the old one with it. Post if there are any problems!

######################################

Hi all!

Here is the deal with this hack. We have usergroups set up with various permissions, mostly based on limiting their functions if they abuse their rights as a member (limiting them from certain forums, putting them under moderation, etc...).

Our mods need to be able to move our members into (and out of) these restricted groups rather than banning them, but at the same time, they should not be able to move members into (or out of) the mod, admin, waiting for confirmation groups, etc...

NOTE: Banned Groups are NOT touched in this hack -- this is for all groups OTHER than those addressed by the banning function as I wanted to keep that seperate!


What this hack does:



Add a token to each usergroup that the admin can set to say 'yes' or 'no' that the mods can move users into and out of the group.
Adds a token on the mod permissions level -- super mods can change allowable groups by default, and regular mods can only make these changes if you assign it on a mod by mod basis.
Adds the functionality to the ModCP for the mods to make the changes.
Changes that need to be made:

Phrases to add: 5

PHP file edits:

admincp/usergroup.php (1 change)
admincp/moderator.php (1 change)
includes/init.php (2 changes)
modcp/user.php (4 changes)
New PHP file:

changegroup.php (attached in this zip -- upload to your modcp folder)
Included in this zip:

Modification .txt file
changegroup.php
Screenies!
The screen shots below are of the ACP -- adding the tokens to the Usergroup and giving permissions to the mods.

Enjoy, and as always, if anyone has any constructive feedback, or needs any help, post away.

:)

And here are the ModCP screen shots -- this is what the Mod will see when they go to edit the users' usergroups:

Nice idea for a hack! :)

Satan

Thanks! :)

Our team LOVES this. I wrote it back for 2.0.6 but never released it through the upgrades because it was really messy -- I was lazy and hardcoded the usergroupids directly into the php file. Heh.

:confused:

Christine
by change from Group come an error

/modcp/changing.php

????

thx

L.

Hi Limitter,

I put the test php file in the zip by mistake. Thank you for finding that!!

I have reuploaded it -- please let me know if you have any problems!

Nice idea Christine :), thanks you :)

Yes Christine,

thx for your Support and Thx for the Hack my team is Happy :)

*install*

Limitter

From 'mods change usergroups.txt'
Replace with:

if (!can_moderate(0, 'canunbanusers') AND !can_moderate(0, 'canunbanusers') AND !can_moderate(0, 'canmodify') AND !can_moderate(0, 'canviewprofile') AND !can_moderate(0, 'caneditsigs') AND !can_moderate(0, 'caneditavatar'))

should the bold text read

!can_moderate(0, 'canbanusers')

if not, should it be removed from the if?

Great hack BTW!

Thanks for the wonderful hack!

This hack would be even better and like Xenons More Powers for Mods hack if you could DEFINE WHICH groups a Moderator could modify. Could that be implemented? Even if it is hardcoded?

Im trying to allow certain MODS to change only certain groups they are allowed to change. I have 3 differetn mods for 3 different section on my boards and I dont want them messing with other groups.

Could this be added? Maybe by adding the GROUP IDs into the ADMINCP somewhere that a Group can modify.

@ OGT -- Sorry, I missed your post. Let me look at that.

@BLackxRam - This is what this hack does. It adds a radio button into the modify Usergroup section of the Admin CP that says "Modifiable Group" Y/N. If you have this radio button set to Yes on the usergroup, it will show up in the dropdown for the mods. If you set it to no, it won't, so they can't change people into it.

:)


Edit to add -- OGT, that one is a typo that was entered twice but won't hurt anything. I didn't include Banning as that is a seperate permission and I didn't want to exclude those who can't ban from being able to change usergroups. You can take that out as a duplicate entry, or if you want only those who can ban to change groups, change it to canbanusers.

I know I understand that, however what I meant was, I have other mods that I dont want to be able to change certain groups. Like I am looking to have Moderator Group A being able to change usergroups 7, 9, 11 while Moderator Group B can change usergroups 8, 10, and 12. That kind of thing.

Just like Xenons hack for vb2

HI BlackxRam,

I am not familiar with Xenon's vB2 hack as I had written my own back then. I understand what you are looking for now though, but this won't do that without some extensive modifications. Unfortunately, I only use Supermods on my site, so don't have the various mod groups to test this on.

Sorry I couldn't help. You may want to check to see if that hack is in the works to be ported?

There appears to be a bug in changegroup.php if the username being modified has any quotes in the name, see the error below.


Database error in vBulletin 3.0.1:

Invalid SQL:
UPDATE user SET

usergroupid = 8
WHERE username = 'big_kev's_ss'

mysql error: You have an error in your SQL syntax near 's_ss'
' at line 5

mysql error number: 1064

Date: Monday 03rd of May 2004 08:59:16 PM
Script: changegroup.php

Thanks, Sidewindr - I will fix...

Edit to add: Please download the new zip and replace the changegroup.php with the one you have now and let me know if this is working.

great hack but now that i use a promotions system
it would be great to allow moderators the ability to add users to additional groups

Yep working like a charm now .. thanks :up:

Thanks Sidewindr. I sent out an update for it. :)

Hi msimplay, That wouldn't take much to do -- just add the checkboxes and the logic for membergroupids to be inserted into the database. As long as you keep the restriction of the usergroups that you set up as modifiable, that is all they would see as options.

:)

Actually it appears to work...

BUT .. It doesn't make the change ... the old one work and the new one doesn't work properly .. the only real difference I can see is the change from ..

WHERE username = '$username'

to

WHERE userid = '$userid'

dang .. had to go back to the old version where it didn't like quotes in names.

That is strange -- I have the new one working?

Let me go see if I can break it...

Edit to add -- it seems to be working fine on my test site still, but I changed the userid to addslashes($username).

Can you try again?

Yep that fixed it :) ... what does addslashes do ?? :o

It escapes any characters that would normally tell php to cut the script short. Instead of username=fred's it makes it username=fred\'s

:)

Thanks for clicking install! :p

Very good hack!
At our forum we have a few rules regarding max sig sizes when it comes to graphics and text, at least I can allow our mods to change those sigs without giving them full access to the modcp.

Installed, and worked like a charm.
Well done.

note: one question, I can only seem to set this on a mod per mod basis. Is there a way to do this for an entire usergroup?

Come on Christine.. you know you are able to make it use various mods for different groups... i would be eternally grateful because Xenon isnt working on it he said.

Hi TheRayden, note: one question, I can only seem to set this on a mod per mod basis. Is there a way to do this for an entire usergroup?That is by design for the mods. SuperMods and Admins have these rights by default.



Hi BlackxRam,

Sorry -- there are just not enough hours in the day. It shouldn't take too much to modify this to do that, but as I said, I am only using SuperMods, so wouldn't even be able to test it on a live environment if I did have time.

OK - I've searched and can't find it...
Christine - this is the closest hack I've seen to what I am wanting to do.
Maybe you can help....

I want the mods and supermods to be able to change userstitles (and change the Custom Title Allowed) along with the group change....
But I don't want them to be able to globally change usergroups - so AdminCP access is out of the question...

Is there a way to implement Usertitles (and CustomUserTitle) into your hack?

Thanks,
Spydertech

Hi Spydertech,

Are you saying that you want mods to override the default ladder of titles:groups, or are you wanting the system to assign the appropriate title that belongs to the group when the group is changed?

I would like the mods to be able to override the default ladder of titles for the a few of the user groups..

i.e. a mod can "play around" with a users titles over-riding the Ladder of titles I have previously setup - (only in certain groups if that is possible)

BTW - Thanks!! The user group mod is extremely helpful!

Spydertech

Ok -- will look at that for you. Give me a few days as I am trying to fix a few things to get 3.0.3 up.

:)

Thanks again!!

:)

would it be possible to modify this code to add users into
a secondary usergroup rather than moving them.....

i would rather moderator be able to add secondary usergroups
and remove secondary groups .....

I was thinking the same, Teksigns :)

*shrugs*

Hi Christine,

Great hack. Clicks install

But i've got some questions for you.
On my forum we have several user groups with private forums. I was thinking of using your hack to allow the mods of those forums to add and remove users from those groups (and thus from that part of the forum).

It all works, however the mod of group A can move users to group B. That should not be possible. Mods should only be allowed to grant or remove acces to their own forum.

Can you help me out with this?

Nice hack - finally got around to installing it, after a few months of lazyness ;)

One thing I had to do was an additional hack to modcp/index.php - the moderators that have access to this hack dont actually have any other 'user' mod privileges, so this was needed ;)



Find :

if (can_moderate(0, 'canunbanusers') OR can_moderate(0, 'canbanusers') OR can_moderate(0, 'canviewprofile') OR can_moderate(0, 'caneditsigs') OR can_moderate(0, 'caneditavatar'))

and Replace with :

if (can_moderate(0, 'canunbanusers') OR can_moderate(0, 'canbanusers') OR can_moderate(0, 'canmodify') OR can_moderate(0, 'canviewprofile') OR can_moderate(0, 'caneditsigs') OR can_moderate(0, 'caneditavatar'))


Hmm - an addition to the above - I just managed to remove my own admin access using a simple, very little access, mod account. Whereas this isnt a problem for my boards because the only mods with this access are within easy reach if they do mess something up, this could be a problem for boards which may have a disgruntled mod.

There are no checks in changegroup.php at all to check what group the user being moved is a member of.

Also, this mod completely ignores the unalterable users feature

Hi all,

My apologies -- I have been traveling and totally forgot about the request for secondary groups. I will look at that this week.

Praxin, I am not sure what you are referring to, but in the hack, each usergroup can be set in the ACP as 'modifiable' or not. If you set Admins to not be modifiable, then admins will not be able to be changed by mods and additionally, the option to change someone into an admin will not be an option for mods.

As per attached - admin usergrp is set to no, and it is ignored

Hi Praxin,

Can you screen shot the dropdown in the mcp for usergroup changes?

Here ya go ;)

Christine, i think this is a great hack and is perfect for my rpg mod. my sugestion and request to you is be able to select what mods can control what editable usr groups

Here ya go ;) Praxin, I am not seeing that the admin is an eligible group in this shot.

Applicant, Guild Members and Registered are the only options.

With that, how are mods able to change someone to admin status??

The vB recently anounced Critical Update is affected by this hack.

Please go to:

http://www.vbulletin.com/forum/showthread.php?t=125480

And download the 3.0.5 init.php file ASAP to plug this vulnerability.

You will need to modify that file in order to run this hack.

In the new init.php, please make the following changes:

Find: (line 792 in a clean file)
'isbannedgroup' => 32
Replace with:
'isbannedgroup' => 32,
'ismodifiablegroup' => 64

Find: (line 844 in a clean file)
'caneditreputation' => 4194304
Replace with:
'caneditreputation' => 4194304,
'canmodify' => 8388608

Praxin, I am not seeing that the admin is an eligible group in this shot.

Applicant, Guild Members and Registered are the only options.

With that, how are mods able to change someone to admin status??

I didnt say they can change someone to admin status, they can change someone FROM admin status to one of the listed groups

Apologies -- I see what you are saying. Let me take a look at that.

ok, I got it working with some help. But now when I try to do a search for a user in my admin control panel the screen is blank. If i go out and back in I get the normal screen but then it goes to the smaller screen and I dont have the ability to change anything on the user from one screen. I can only do it with the links. Do I have to turn someting off or on? Thanks rob

Cheers for this, great addition for my using Miserable Users hack :)

just to clarify, I installed this again.

Only my super mods can edit user groups, so how would I go about giving this access to my mods also?

I can only see the group is modifiable option, not the group can modify groups option

Watson

What usergroups are the moderators able to switch users from?

Thank You

Christine are you sure that you have added the updated Changegroup.php to the zip? Any user with access to the ModCP is still able to change usergroup levels like so:

modcp/changegroup.php?do=changeuser&u=*usernumberhere*

Hmmm, all Files in the ZIP are dated 2004, and cahngegroup.php doesn't seem to be the current Version, at least it differs from the File I have.

Dark_Konoko,

It didn't overwrite the zip. Likely a problem between the seat and the keyboard.

It is there now -- please verify that this is working for you.

Thanks!

Confirmed. Works great now :) Thank you to both you and KirbyDE.

All credit to KirbyDE for figuring this out.

I am just responsible for PEBSAK (problem exists between seat and keyboard) upload errors.

Thank you muchly for catching this so quickly. :D

Apologies for missing earlier questions -- I have updated my subscription on this thread for email notification. :redface:

@Watson
You give mod access by editing the mods rights -- Smods and Admins have by default

@mustang_lex
That is up to you. The hack allows you to choose via usergroup permissions which groups can be changed and which can't.

Christine

your say to search for;

$cell[] = iif($canbanusers, construct_link_code($vbphrase['ban_user'], "banning.php?$session[sessionurl]do=banuser&userid=$user[userid]"));


but mine is

$cell[] = iif($canbanusers, '<span class="smallfont">' . construct_link_code($vbphrase['ban_user'], "banning.php?$session[sessionurl]do=banuser&amp;userid=$user[userid]") . '</span>');


big difference on the lines, and what prob's is it going to cause?

also,
where do i find the screen you posted that shows the users permissions?
https://vborg.vbsupport.ru/attachment.php?attachmentid=17010

Found it, but the words are blank, must have something to do with the code above being a bit different


Can Restore Banned Users Yes No
Yes No
Can Edit User Signatures Yes No

words are missing for that cell.

[UPDATE]
FIXED-

only problem I have is that it moves them from one group to another-
any way to make it add them to groups instead of removing them from group-

Hench the name group moderator :)
I need my group moderators to be able to add people / take people away from groups, just not shuffle from one group to another-

Other then that- nice mod.

Hi Acedeal,

The difference was in the addition of a span class for a font declaration. :)

Do you have this working as you need it to for your team?

Thanks Christine.
It's working as intended.
(looking at code to see how to make it Add users, instead of moving them to a new group)

Nice mod

My super mods can't edit user groups but they can do everything else i've selected them to be able to....like sigs, avatars etc....

They get the no permission message even though they should be allowed given they are super mods....

Error is: "You can't change user groups for users who are not considered normal, registered users"

No SQL errors at all...I have no idea what if anything I might have done to make it ALMOST work 100%....help please :p

Error is: "You can't change user groups for users who are not considered normal, registered users"

This means that either the source or destination Usergroup is not a modifiable Usergroup, check your Usergroup settings.

This means that either the source or destination Usergroup is not a modifiable Usergroup, check your Usergroup settings.


Ok that got it licked :) thanks Kirby :D

Side Question: If I wanted this hack to change only the Display group, how and where would I need to edit it?

a very good hack
just installed :)
thx

Ok that got it licked :) thanks Kirby :D

Side Question: If I wanted this hack to change only the Display group, how and where would I need to edit it?

*bump*
A little help please?

Installed , thanks , works great.

You know, this IS a nice hack. However, I wouldn't be using vbulletin's bitfields... Also, you gonna port it for 3.5.1? If yes, I suggest you rework the way you store usergroup information :)

Can you please port it to 3.5. :nervous:

Is there a version of this to work with 3.6.x? How much tweaking would be needed to modify it to?

Any chance of updating this so it's compatable with 3.6.x? It's excately what I'm looking for.

has anybody reworked this to work with 3.7? or found somtin that does the same thing?

Has anyone tried to get this to work with 3.7 or 3.8?