vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Quick Usergroup Change? (https://vborg.vbsupport.ru/showthread.php?t=183350)

Kahoona 06-23-2008 10:24 PM
Quick Usergroup Change?
 
Is there a mod that skips the admin login for user editing and just allows me to change someone's usergroup right on their profile?

Marco van Herwaarden 06-24-2008 10:07 AM
Have never seen one, and i would never suggest installing such a modification as it reduce the level of security.

GotWalked 02-19-2009 12:31 AM
i would like this, and how would it reduce security? I'm undeletable user, and have nothing to worry about.

DragonBlade 02-19-2009 01:17 AM
I'd like to know how it would reduce security as well, no matter if one is an undeletable user or not...

I mean, where's the risk in having a modification that would check to see if someone is in the Admin group (or groups, if a forum has more than one) and display on the member profile page an option to change a user's usergroup?

Marco van Herwaarden 02-19-2009 09:39 AM
Skipping a login intended to block out unwanted users from accessing potentially harmfull actions?

You are asking me how this is decreasing the level of security?

DragonBlade 02-19-2009 02:00 PM
Well, yeah, I am. O.o

Skipping a login to change someone's usergroup based on the current user's usergroup... It just seems that if someone was able to somehow spoof their usergroup in the first place, what would the additional check exactly do to prevent this?

Marco van Herwaarden 02-19-2009 02:29 PM
That is not what he is asking. He wants an admin to be able to change anyones usergroup from the profile without additional AdminCP session login.

DragonBlade 02-19-2009 02:39 PM
Yes, that's what I'm wondering, too.

Let me clarify, though, I'm not trying to argue--I just would like to program some simple modifications that might emulate some AdminCP tasks. I would like to know, "hey, what extra protection exactly is offered by logging in through AdminCP to do this, and why can't I simply check a user's usergroup instead?"

It's not this specific modification I'm talking about (I really don't see much need for it), but some others. For example, I'm in the middle of programming a "Shoppe" of sorts, and one of the tasks it does (when a certain item bought is activated) is adds a person to a usergroup with a larget PM inbox size. Another item adds a user to a group with a larger avatar limit.

I would like to know how my code is insecure with this, so that I can make needed adjustments.

Dismounted 02-20-2009 04:18 AM
As long as it is the script doing this (without user input into the usergroup, Admin CP options are an exception), it should be fine.

Marco van Herwaarden 02-20-2009 09:04 AM
Quote:
Let me clarify, though, I'm not trying to argue--I just would like to program some simple modifications that might emulate some AdminCP tasks. I would like to know, "hey, what extra protection exactly is offered by logging in through AdminCP to do this, and why can't I simply check a user's usergroup instead?"
The front-end login can be saved (and often will) and re-used at a later stage. This could lead to a user with bad intentions to obtain an admin session to the forums without the need to login or know the password. By requiring an extra login before performing any admin actions, we ensure that the person does know the admin password. This also (to some extent) protects about malformed links intended to trick an admin to click and unwillingly perform staff actions.


All times are GMT. The time now is 04:04 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01110 seconds
  • Memory Usage 1,723KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete