First of all, much thanks to all the individuals that have put forth the effort to put pgv together - its look/feel and ease of use recently inspired me to begin putting together my own family tree.
I was curious as to the security of the Research Log "plug-in." Note: I have pgv setup so users must authenticate to view the tree.
I created a new Research Folder, added a note to a person, "id1", then logged in as a user with no edit/admin rights and:
1) Was able to view the entry.
2) Was able to click "Delete" - received a message "not allowed to access this folder" BUT the message was deleted.
3) Moved to a different family member, made a research log entry. It didn't show up under that user. I then viewed the original user...the new entry was now listed under that individual. (appears an index counter gets reset, but the entry for that user is not upon deletion)
I also receive an error "Warning: Undefined variable: people in /var/www/html/phpGedView/rs_editlog.php on line 102" when adding any new entries. (nothing in /var/log/httpd/error_log corresponding)
I'm using 0.95c
I didn't see anything in the readme about expected security behavior. How is it supposed to work, 2) is the above expected, and 3) is this being changed?
I don't mind if non-admins can add an entry, but they shouldn't be able to delete those of other users if that's the case.
I'm not sure if I could hack the logging code to perform all these security functions, but I could probably figure out how to keep all but admin's out of them (not preferred) if I have to. I write most stuff down right now, but wouldn't mind having it electonically - as long as it isn't going to disappear if someone else makes the wrong clicks :)
J
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2004-01-02
Hello Jason,
I can tell you that at the moment the research log is not even close to PGV regarding compliance with the security layout.
Yes, the researchlog is still being developed and it will be more integrated with PGV. So to answer your question number 3, yes it will be changed :)
As for the undefined variable, I suggest you download the ResearchLog new layout in the Patches section. This is a modified and improved version of the ResearchLog and will become the new download when some more changes have been made.
Regards,
Roland
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the quick response! That's kinda what I figured with it's alpha designation "0.x" - I'll try the patched layout this evening.
Maybe I'll see if I can hack it to an admin only "feature" for now. I'm not sure how complicated that would be, as I'm not well versed in php... but I did figure out how to do a basic check for authenticated users during another hack I did the other day. Perhaps I'll post another thread (under General) detailing what/why I did that one in case anyone is interested in something similar (or knows of a better way to do what I am).
Regards,
Jason
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First of all, much thanks to all the individuals that have put forth the effort to put pgv together - its look/feel and ease of use recently inspired me to begin putting together my own family tree.
I was curious as to the security of the Research Log "plug-in." Note: I have pgv setup so users must authenticate to view the tree.
I created a new Research Folder, added a note to a person, "id1", then logged in as a user with no edit/admin rights and:
1) Was able to view the entry.
2) Was able to click "Delete" - received a message "not allowed to access this folder" BUT the message was deleted.
3) Moved to a different family member, made a research log entry. It didn't show up under that user. I then viewed the original user...the new entry was now listed under that individual. (appears an index counter gets reset, but the entry for that user is not upon deletion)
I also receive an error "Warning: Undefined variable: people in /var/www/html/phpGedView/rs_editlog.php on line 102" when adding any new entries. (nothing in /var/log/httpd/error_log corresponding)
I'm using 0.95c
I didn't see anything in the readme about expected security behavior. How is it supposed to work, 2) is the above expected, and 3) is this being changed?
I don't mind if non-admins can add an entry, but they shouldn't be able to delete those of other users if that's the case.
I'm not sure if I could hack the logging code to perform all these security functions, but I could probably figure out how to keep all but admin's out of them (not preferred) if I have to. I write most stuff down right now, but wouldn't mind having it electonically - as long as it isn't going to disappear if someone else makes the wrong clicks :)
J
Hello Jason,
I can tell you that at the moment the research log is not even close to PGV regarding compliance with the security layout.
Yes, the researchlog is still being developed and it will be more integrated with PGV. So to answer your question number 3, yes it will be changed :)
As for the undefined variable, I suggest you download the ResearchLog new layout in the Patches section. This is a modified and improved version of the ResearchLog and will become the new download when some more changes have been made.
Regards,
Roland
Roland,
Thanks for the quick response! That's kinda what I figured with it's alpha designation "0.x" - I'll try the patched layout this evening.
Maybe I'll see if I can hack it to an admin only "feature" for now. I'm not sure how complicated that would be, as I'm not well versed in php... but I did figure out how to do a basic check for authenticated users during another hack I did the other day. Perhaps I'll post another thread (under General) detailing what/why I did that one in case anyone is interested in something similar (or knows of a better way to do what I am).
Regards,
Jason