The Arcive of Official vBulletin Modifications Site.

Kahoona · #1 06-23-2008, 10:24 PM

Is there a mod that skips the admin login for user editing and just allows me to change someone's usergroup right on their profile?

Marco van Herwaarden · #2 06-24-2008, 10:07 AM

Have never seen one, and i would never suggest installing such a modification as it reduce the level of security.

GotWalked · #3 02-19-2009, 12:31 AM

i would like this, and how would it reduce security? I'm undeletable user, and have nothing to worry about.

DragonBlade · #4 02-19-2009, 01:17 AM

I'd like to know how it would reduce security as well, no matter if one is an undeletable user or not...

I mean, where's the risk in having a modification that would check to see if someone is in the Admin group (or groups, if a forum has more than one) and display on the member profile page an option to change a user's usergroup?

Marco van Herwaarden · #5 02-19-2009, 09:39 AM

Skipping a login intended to block out unwanted users from accessing potentially harmfull actions?

You are asking me how this is decreasing the level of security?

DragonBlade · #6 02-19-2009, 02:00 PM

Well, yeah, I am. O.o

Skipping a login to change someone's usergroup based on the current user's usergroup... It just seems that if someone was able to somehow spoof their usergroup in the first place, what would the additional check exactly do to prevent this?

Marco van Herwaarden · #7 02-19-2009, 02:29 PM

That is not what he is asking. He wants an admin to be able to change anyones usergroup from the profile without additional AdminCP session login.

DragonBlade · #8 02-19-2009, 02:39 PM

Yes, that's what I'm wondering, too.

Let me clarify, though, I'm not trying to argue--I just would like to program some simple modifications that might emulate some AdminCP tasks. I would like to know, "hey, what extra protection exactly is offered by logging in through AdminCP to do this, and why can't I simply check a user's usergroup instead?"

It's not this specific modification I'm talking about (I really don't see much need for it), but some others. For example, I'm in the middle of programming a "Shoppe" of sorts, and one of the tasks it does (when a certain item bought is activated) is adds a person to a usergroup with a larget PM inbox size. Another item adds a user to a group with a larger avatar limit.

I would like to know how my code is insecure with this, so that I can make needed adjustments.

Dismounted · #9 02-20-2009, 04:18 AM

As long as it is the script doing this (without user input into the usergroup, Admin CP options are an exception), it should be fine.

Marco van Herwaarden · #10 02-20-2009, 09:04 AM

Quote:

Let me clarify, though, I'm not trying to argue--I just would like to program some simple modifications that might emulate some AdminCP tasks. I would like to know, "hey, what extra protection exactly is offered by logging in through AdminCP to do this, and why can't I simply check a user's usergroup instead?"

The front-end login can be saved (and often will) and re-used at a later stage. This could lead to a user with bad intentions to obtain an admin session to the forums without the need to login or know the password. By requiring an extra login before performing any admin actions, we ensure that the person does know the admin password. This also (to some extent) protects about malformed links intended to trick an admin to click and unwillingly perform staff actions.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.06318 seconds Memory Usage 2,239KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!