Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.6 > vBulletin 3.6 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
CES Parser Permissions Details »»
CES Parser Permissions
Version: 2.2.3, by thincom2000 thincom2000 is offline
Developer Last Online: Sep 2022 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.6.x Rating:
Released: 02-04-2007 Last Update: 11-07-2010 Installs: 59
DB Changes Uses Plugins Auto-Templates
Additional Files  
No support by the author.

CES Parser Permissions
vBulletin 3.6.x, 3.7.x, 3.8.x, 4.0.x supported
Version: 2.2.3

If you encounter what you think may be a bug, please include your vBulletin version number when reporting it, since code and fixes differ greatly from 3.6.4 - 3.8.x.

*** NEWS ***
11/8/2010 - 2.2.3 released
5/15/2010 - 2.2.2 released
4/12/2009 - 3.6.x thread separated

Known Issues:
- If you are using the Advanced BB-Code Permissions hack, conflicts can arise when profile fields are parsed in the postbit, causing nothing be parsed. The fix is described here: https://vborg.vbsupport.ru/showthread.php?p=1252480

What It Does:
Allows you to grant only certain usergroups the ability to use HTML, BB-code, smilies, and IMG-code in their profile fields, posts, PMs, and in Project Tools.

Mod Features:
- parse profile fields on user profiles using Usergroup Permissions
- parse profile fields in postbits using Usergroup Permissions
- parse posts using Usergroup Permissions
- parse calendar events using Usergroup Permissions
- parse private messages using Usergroup Permissions
- parse Project Tools issues and replies using Usergroup Permissions
- parse Social Messages and usernotes using Usergroup Permissions
- complete Forum Rules integration
- disallow certain HTML tags

Products to Install: 1
Files to Upload: 3
Files to Edit: 0
Template Edits: 0

*** Changelog ***
As of Version 2.2.3
  • non-forum messages don't parse
  • poll options don't parse

As of Version 2.2.2
  • several bug fixes
  • compatible with VaultWiki 2.5.7 PL 1 & 3.0.0 RC 3

* This mod is offered for free here. Please donate if you like this mod *

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #32  
Old 04-05-2007, 03:04 AM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Error in readme.txt:

IS:
In forum/
-----------------------------
- upload: product-ces_html_profile.xml

SB:
In forum/
-----------------------------
- upload: bitfield_ces_html_profile.xml (I guess <<shrug>>)

And in the zip file, the 2 bitfield files are identified as belonging in the "includes/xml/" folder.

I assume the readme takes precedence, but it could be confusing to us literalists.

How about something like:

Quote:
*******************************************
** INSTALLATION **
*******************************************

In forum root
-----------------------------
- upload: bitfield_ces_html_profile.xml

In forum/includes/xml/
-----------------------------
- upload: bitfield_ces_parser_perms.xml

In admincp > Plugins & Products > Manage Products > Add/Import Product
Install: product-ces_parser_perms.xml

and you're done.
Also, I would appreciate some screenshots as to what to expect.

What does the modified Manage Usergroups form look like?
What happens within the WYSIWYG editor if some basic tags are disabled?
Does the editor Preview reflect the disabled permissions?
Are the Posting Rules for the Editor changed?

p.s., I think this is the single most important add-on for our boards. Thank you so much for doing this!!
Reply With Quote
  #33  
Old 04-05-2007, 05:17 AM
thincom2000 thincom2000 is offline
 
Join Date: May 2006
Location: Bronx, NY
Posts: 1,205
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by YabbaDabba View Post
What does the modified Manage Usergroups form look like?
What happens within the WYSIWYG editor if some basic tags are disabled?
Does the editor Preview reflect the disabled permissions?
Are the Posting Rules for the Editor changed?
The WYSIWYG editor does not seem to reflect the permissions. Everything parses in the editor until the post is submitted. I will have to fix this.

I don't believe editor Preview currently does, I will have to fix this as well (unfortunately will add a query to the Post Preview in the Editor.

The posting rules do change.
Reply With Quote
  #34  
Old 04-05-2007, 05:36 AM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks.

In re-reading the instructions, I think I got it wrong, but I still don't quite understand the intent.

Are you recommending uploading the product-xml to the server and installing it as a product from there? Why not install locally? ANd why are there 2 bitfield files if only one is needed? Or am I still way off the mark? :LOL:
Reply With Quote
  #35  
Old 04-05-2007, 05:43 AM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oops. I see there's a new zip.

I'll give it a shot. Thanks for the quick turn-around!
Reply With Quote
  #36  
Old 04-05-2007, 06:10 AM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

In your readme, you state:
Quote:
Don't be disillusioned: it is still possible for hackers to workaround
these limitations. Only grant HTML to members of your site's staff.
I'm not looking for hacking tips here, but I don't understand what you mean by "limitations" specifically.

Are you referring specifically to the html limits?
Are you referring to the vB-imposed html limits or the CES-imposed limits?
Are you saying that CES Parser Perms opens new security holes in the php or are you referring to hacking the vB php or are you saying that once CES opens the html door a tiny bit, the hackers are off to the races?
And if you are suggesting that there are risks once CES opens up some limited html rights, can you give me a general idea of what you mean? That is, what would tip me off that someone is trying to break things (besides a cracked forum, that is ).

Just trying to better understand the risk you are referring to.
Reply With Quote
  #37  
Old 04-05-2007, 07:57 AM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, I don't know.
I am only interested (right now) in turning off the IMG tag for new users, but I couldn't get it to work?

Steps:
1 - Uploaded product-ces_html_profile.xml to forum root
2 - Upload bitfield_ces_parser_perms.xml to /includes/xml/
3 - set permissions on both to 755
4 - installed product-ces_html_profile.xml as product (from local copy)
5 - vBulletin Options -> CES Profile Fields -> Banned Tags were left as is
6 - vBulletin Options -> CES Profile Fields -> Global Variables were all deleted (not using "anything" tag)
7 - Usergroup Manager -> Edit Usergroup -> CES Profile Permissions left unchanged
8 - Usergroup Manager -> New Members > Edit Usergroup -> Post/Thread Permissions changed only IMG tag to "no"
9 - created new account in "New Members" group
10 - logged in as new member in FF 2.0.0.2 browser
11 - clicked Post Reply
12 - Editor page does indeed show "[IMG] code is Off"
13 - Added text and copy-n-pasted an image into editor (it appeared in editor)
14 - Clicked Preview (did NOT appear in preview - just the img tags and image url)
14 - Clicked "Submit" to display post.
15 - Image graphic appears in post. I can see it as a "New Member" in FF2 and as Admin in IE7.

So, what did I do wrong??

Also tried changing CES Profile Permissions for IMG tag in profile to "No" but this had no effect on posting either (which is good).

Environment:
vB 3.6.5
PHP Version 5.2.0-8+etch1
Server API CGI/FastCGI
MySQL 5.0.32-Debian_7etch1-log
Server lighttpd/1.4.13
OS Linux
Reply With Quote
  #38  
Old 04-05-2007, 08:19 AM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If I ALSO disable BB codes in Usergroup -> Post/Thread Permissions, that seems to knock out the IMG tag parsing successfully.

But that seems way harsh.

Is that your intent?
Reply With Quote
  #39  
Old 04-05-2007, 11:22 AM
thincom2000 thincom2000 is offline
 
Join Date: May 2006
Location: Bronx, NY
Posts: 1,205
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

In the plugin called Post Parsing Perms, find:
PHP Code:
$dobbimgcode = ($check_ugp['can_imgcode_post'] AND $dobbimgcode) ? true false
Replace with:
PHP Code:
$dobbimagecode = ($check_ugp['can_imgcode_post'] AND $dobbimagecode) ? true false
Quote:
Originally Posted by YabbaDabba
I'm not looking for hacking tips here, but I don't understand what you mean by "limitations" specifically.
I am saying that the Banned HTML Tags setting in this addon is nowhere near hacker proof. If a hacker wants to use those tags, they will find a way. That being the case, limit the Usergroups allowed to use HTML to those you know probably don't inlcude members who will be trying to hack your site.
Reply With Quote
  #40  
Old 04-05-2007, 12:58 PM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That seems to have done the trick.

Thank you, thank you, thank you!

FYI: In both IE and FF, minor weirdness in the editors.

A graphic image pasted into the edit window displays as an image (which can build expectations).

But using preview knocks out the disabled codes. (just see the raw BB codes) :up:

Submitted posts don't parse the disabled codes. IMG source displayed as URL. :up:

Edit Posts doesn't display the parsed tags, just the raw BB codes. :up:

Again, this is in IE7 and FF 2.0.0.2. Your mileage may vary.

Thanks again.
Reply With Quote
  #41  
Old 04-10-2007, 07:27 AM
YabbaDabba YabbaDabba is offline
 
Join Date: May 2004
Posts: 122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

May be seeing some weirdness in un-even coverage of permissions?

Symptoms:
Mod-to-Mod PMs are not parsing BB code. (Mod sees the unparsed tags in PM from another Mod.)
Admin-to-Mod PM is parsing BB code. (Mod says he sees the parsed results in PM from admin.)

Mod says his posting rules on his PM Editor page is:

Posting Rules
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

I assume the PM code permissions are the same as the posting permissions.
For Mods and Admins, they are set the same (via Usergroup Mgr > Edit > Post / Thread Permissions):
- Allow HTML in posts? No
- Allow BB-code in posts? Yes
- Allow Smilies in posts? Yes
- Allow IMG-code in posts? Yes
- Allow Anything-code in posts? No

And "CES Profile Permissions" are set the same as above (except it says "profile fields" ).

Can't see anything else in the Usergroup settings that would be the cause of this.

Suggestions and ideas?

============
NOTE: your ver 1.2.2 is still displaying as 1.2.1 in the Managed Products list.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:49 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05005 seconds
  • Memory Usage 2,325KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_php
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete