Thread: Links and Files Database
View Single Post
  #130  
Old 02-28-2004, 06:14 AM
AndrewD AndrewD is offline
 
Join Date: Jul 2002
Location: Scotland
Posts: 3,486
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ???`S?LV?R???`
but that wouldnt really protect the file, cause then people could just give out links still
The permissions system works in two ways, both building on VB's usergroups:

a) Ability to "do" certain things. You set this in the admin pages, by defining which usergroups can create links, categories, etc. Only a user who is a member of one of the specified groups can carry out the specified task.

b) Ability to "view" things. When you create/edit a link or category, you "assign" a forumid to the link/category. This may be explicit or implicit - i.e. if the user has can_set_permissions (see previous item), then that user can choose which forum to assign to the link, otherwise the default choice set by the administrator is used.

Whenever one of your users views these pages, she will only see links and categories for which her usergroup has the appropriate forum permission. I.e. if that group can see and visit a particular forum, then she can see and visit links associated with that forum.

This also works when trying to download a file. These are set up as a call to local_links.php?action=jump&id=n. If someone tries to get round the system by simply choosing a random number (or if someone tells someone else what number to enter), the code still checks to see if that usergroup has the relevant permission, and refuses the download if not. The user never gets to see where the actual file is stored.

Of course, if someone actually knows where the file is really stored, and gives out that information, then it is perfectly possible to bypass the whole security system. But that is nothing to do with this hack.

Clear?
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01135 seconds
  • Memory Usage 1,765KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete