Thread: [Phpslash-devel] Sec. hole in authorAdmin 0.65
Brought to you by:
joestewart,
nhruby
From: Lars H. <he...@qu...> - 2001-12-15 18:06:58
|
Hi, A user with "author" rights is able to delete the phpSlash "god". Just create an user with author rights, log out, login with the new user and then kill the god by clicking on "Delete" in admin/authorAdmin.php3 Regards, Lars |
From: Joe S. <jo...@be...> - 2001-12-15 18:16:40
|
The "author" rights allow a user to administer authors/users. So this seems to be the correct operation. I don't understand. Only the "root" account type users should have "author" privileges. On Sat, Dec 15, 2001 at 07:10:41PM +0100, Lars Heuer wrote: > Hi, > > A user with "author" rights is able to delete the phpSlash "god". > > Just create an user with author rights, log out, login with the new > user and then kill the god by clicking on "Delete" in admin/authorAdmin.php3 > > Regards, > Lars > |
From: Lars H. <he...@qu...> - 2001-12-15 18:22:49
|
Hi Joe, > I don't understand. Only the "root" account type users should have > "author" privileges. Ups, maybe I don't understand the account system completely? I just wonder, why a author are able to kill the owner of the site. Regards, Lars |
From: Matt \TrollBoy\ W. <tro...@sh...> - 2001-12-15 18:44:20
|
He does have a good point actually.. what if Chris Loveless got pissed at me and decided to delete my account? Matt "TrollBoy" Wiseman Webmaster: Shoggoth.net Site Designer: phpslash.org The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown. -H.P. Lovecraft --------------------------------------------------------- Please do not resell my e-mail address to anyone or send me unsolicited e-mail --------------------------------------------------------- ----- Original Message ----- From: "Lars Heuer" <he...@qu...> To: "Joe Stewart" <jo...@be...> Cc: <php...@li...> Sent: Saturday, December 15, 2001 1:26 PM Subject: Re: [Phpslash-devel] Sec. hole in authorAdmin 0.65 > Hi Joe, > > > I don't understand. Only the "root" account type users should have > > "author" privileges. > > Ups, maybe I don't understand the account system completely? I just > wonder, why a author are able to kill the owner of the site. > > Regards, > Lars > > > _______________________________________________ > Phpslash-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpslash-devel > |
From: Lars H. <he...@qu...> - 2001-12-15 20:37:55
|
Hi, > He does have a good point actually.. what if Chris Loveless got pissed at me > and decided to delete my account? And one point also: If I delete a author the storys the author submitted are gone. Not deleted, but not shown, because the author_id doesn't exists anymore. So: If your Chris Loveless deletes you, all storys you submitted are not shown. If you're the owner of the site that may be a lot! Maybe this might be a solution: 1. Extend the user levels for a god account, which isn't shown by the Author:listAuthors()? 2. Create a useraccount anonymous / nobody which owns the storys of a deleted author? ... maybe not to delete the author physically, just set a a flag. If the god doesn't says, the deletion is okay, the author will not be deleted. Regards, Lars |
From: Matt \TrollBoy\ W. <tro...@sh...> - 2001-12-16 04:29:13
|
and for something completely different, a new skin for shoggoth.net.. for all of those that don't understand the full evil of the Cthulhu Cult: http://www.shoggoth.net/shogmsn/ Matt "TrollBoy" Wiseman Webmaster: Shoggoth.net Site Designer: phpslash.org The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown. -H.P. Lovecraft --------------------------------------------------------- Please do not resell my e-mail address to anyone or send me unsolicited e-mail --------------------------------------------------------- |
From: Joe S. <jo...@be...> - 2001-12-17 18:28:05
|
On Sat, Dec 15, 2001 at 09:42:16PM +0100, Lars Heuer wrote: > Hi, > > And one point also: If I delete a author the storys the author > submitted are gone. Not deleted, but not shown, because the author_id > doesn't exists anymore. > Okay this is corrected in cvs. An author is not deleted if there are stories assigned to the user_id. This would be required for other db's that have referential integrity like PostreSQL. Just the same type check as in section delete. No fancy error messages, just the story titles and id's. Joe |
From: Ajay S. <ss...@od...> - 2001-12-17 23:00:13
|
> > And one point also: If I delete a author the storys the author > > submitted are gone. Not deleted, but not shown, because the author_id > > doesn't exists anymore. > > Okay this is corrected in cvs. An author is not deleted if there > are stories assigned to the user_id. This would be required for > other db's that have referential integrity like PostreSQL. do you wanna add another check in there for "root" perms before deleting? Actually a person with "author" perms shouldn't be able to add a "root" account, or they shouldn't be able to modify a root account. Sheesh, this gets hairy fast! later, ajay -------------------------------------------------------------------- Satyajot (Ajay) Sharma ss...@od... -------------------------------------------------------------------- |
From: Joe S. <jo...@be...> - 2001-12-16 21:09:01
|
On Sat, Dec 15, 2001 at 09:42:16PM +0100, Lars Heuer wrote: > And one point also: If I delete a author the storys the author > submitted are gone. Not deleted, but not shown, because the author_id > doesn't exists anymore. > This would be a bug. There should be a check for this. We check for such things when deleting topics and sections. Part of the confusion may be the term "author" for the permission. This is permission to manage the user accounts. Normal authors don't need this permission. To publish stories they need the "story" permission. Much as the root user on a *nix system. Don't give this ability to everyone. > So: If your Chris Loveless deletes you, all storys you submitted are > not shown. If you're the owner of the site that may be a lot! > > Maybe this might be a solution: > 1. Extend the user levels for a god account, which isn't shown by the > Author:listAuthors()? > > 2. Create a useraccount anonymous / nobody which owns the storys of a > deleted author? > > ... maybe not to delete the author physically, just set a a flag. If > the god doesn't says, the deletion is okay, the author will not be > deleted. > > Regards, > Lars > |
From: Lars H. <he...@qu...> - 2001-12-16 21:14:58
|
Hi Joe, > This would be a bug. There should be a check for this. We check for such > things when deleting topics and sections. Yes, I reviewed the deleteAuthor() function and the comment says, there should be a check, but there isn't. Permission-system: Yes, maybe I got confused by the word "author". Thanks, Lars |
From: Ajay S. <ss...@od...> - 2001-12-17 16:44:42
|
my understanding of the perms is you're able to do anything if you have the ability. Like if you're given "story" and "author" perms then you can play around with the stories and authors. Now if you also have "root" access then you can do the more destructive stuff like delete stories, delete authors, etc... later, ajay On Sun, 16 Dec 2001, Lars Heuer wrote: > Hi Joe, > > > This would be a bug. There should be a check for this. We check for such > > things when deleting topics and sections. > > Yes, I reviewed the deleteAuthor() function and the comment says, > there should be a check, but there isn't. > > Permission-system: Yes, maybe I got confused by the word "author". > > Thanks, > Lars > > > _______________________________________________ > Phpslash-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpslash-devel > -- -------------------------------------------------------------------- Satyajot (Ajay) Sharma ss...@od... -------------------------------------------------------------------- |
From: Joe S. <jo...@be...> - 2001-12-17 17:07:12
|
Not yet. Pretty much right now if you have block perms you can do all things with blocks, etc. An exception is the topics. Because the seclev for topics was so low a user with topic permissions can add topics but not delete. It requires root perms to delete. This makes sense in workflow logic also. A user that can post stories should be able to add needed topics. But otherwise not try to delete existing topics. A user that can add blocks would probably also need the ability to delete blocks. There are a few places that root can do extra things. One is publishing stories as another user. Another is scheduling story date. After 0.65 release and we start planning milestones I want to open up discussion of the perms system to generate a spec for development. It needs more scalability, groups (acl's), and extension to function level perms. But this release is a big step in that direction. Joe On Mon, Dec 17, 2001 at 09:46:00AM -0800, Ajay Sharma wrote: > > my understanding of the perms is you're able to do anything if you have > the ability. Like if you're given "story" and "author" perms then you > can play around with the stories and authors. Now if you also have > "root" access then you can do the more destructive stuff like delete > stories, delete authors, etc... > > later, > ajay > |
From: Lars H. <he...@qu...> - 2001-12-17 17:15:02
|
Hi Ajay, > can play around with the stories and authors. Now if you also have > "root" access then you can do the more destructive stuff like delete > stories, delete authors, etc... Yes, but I thought, the root (like a UNIX-root) should not be deleted by an author, because it's the root, the god of the system. I've given the user "foo" just author-rights and he was able to delete the root. That was surprising. Thanks, Lars |
From: Joe S. <jo...@be...> - 2001-12-17 18:01:08
|
Would it be clearer to rename "author" perm to authoradmin or useradmin? I've got a much more detailed plan for later but would rather wait. On Mon, Dec 17, 2001 at 06:15:00PM +0100, Lars Heuer wrote: > Hi Ajay, > > > can play around with the stories and authors. Now if you also have > > "root" access then you can do the more destructive stuff like delete > > stories, delete authors, etc... > > Yes, but I thought, the root (like a UNIX-root) should not be deleted > by an author, because it's the root, the god of the system. > > I've given the user "foo" just author-rights and he was able to delete > the root. That was surprising. > > Thanks, > Lars > > |
From: Lars H. <he...@qu...> - 2001-12-17 18:25:51
|
Hi Joe, > Would it be clearer to rename "author" perm to authoradmin or useradmin? I prefer useradmin. Regards, Lars |