Recent Topics

1 Aug 12, 2005 00:25    

Do this at your own risk!!!

I once had a porn site register for my blog. Fairly stupid since b2evo (by design) doesn't allow new bloggers to do *anything* other than find out they have to wait for the admin, but it did, so you do this hack at your own risk. The idea here is to allow new bloggers to post in their own blog with their own category upon registration. Okay, so they can... if you hack two files. BTW this applies to version blahblah.12. It might go back a few versions (and if you're on old stuff you should upgrade and patch), and I seriously doubt it will go forward. You will need to edit two files in your htsrv directory. The first is simple: you need to limit the length of a login name to the same number of characters allowed for a blog stub name. Why? Because this hack will build a blog based on login name, but blogs have to have unique stub names. Oh yeah: this hack will only work if you do NOT use stub files. Even so, your blog stub must be unique, and therefore your new blogger login can not match the first 12 characters of someone else's login.

Open htsrv/_reg_form.php and find this:

<fieldset>
	<fieldset>
		<div class="label"><label for="login"><?php echo T_('Login:') ?></label></div>
		<div class="input"><input type="text" name="login" id="login" size="16" maxlength="20" value="<?php echo format_to_output($login, 'formvalue'); ?>" class="large" /></div>
	</fieldset>


Change it to this:

<fieldset>
	<fieldset>
		<div class="label"><label for="login"><?php echo T_('Login:') ?></label></div>
		<div class="input">
		<input type="text" name="login" id="login" size="10" maxlength="12" value="<?php echo format_to_output($login, 'formvalue'); ?>" class="large" />
		<span class="notes"><?php echo T_('Maximum 12 characters, please.') ?></span>
		</div>
	</fieldset>

Now for the big stuff: Open htsrv/register.php and find this:

		locale_temp_switch( $admin_data['user_locale'] );
		
		$message  = T_('new user registration on your blog'). ":\n\n";


See that blank line in there? Replace it with this:

		
// this is the hack
$new_blog_stub = $new_User->login;
$new_blog_locale = $new_User->locale;
$new_blog_name = $new_blog_stub.' blog';

// create the new blog
echo '<p>Creating blog for '.$new_blog_stub.'...</p>';
$query = "INSERT INTO $tableblogs ( ";
$query .= "blog_tagline, ";
$query .= "blog_longdesc, ";
$query .= "blog_notes, ";
$query .= "blog_stub, ";
$query .= "blog_name, ";
$query .= "blog_shortname, ";
$query .= "blog_description, ";
$query .= "blog_locale ) ";
$query .= "VALUES ( ";
$query .= "'A new blog for a new blogger', ";
$query .= "'This is a long description for your blog.', ";
$query .= "'This is a note for your blog.', ";
$query .= "'".$DB->escape($new_blog_stub)."', ";
$query .= "'".$DB->escape($new_blog_name)."', ";
$query .= "'".$DB->escape($new_blog_stub)."', ";
$query .= "'This is the description field.', ";
$query .= "'".$DB->escape($new_blog_locale)."' )";
$DB->query( $query );

// get the new blog ID number
$query = "SELECT blog_ID from $tableblogs WHERE blog_stub = ";
$query .= "'".$DB->escape($new_blog_stub)."'";
$new_blog_ID = $DB->get_var($query);

// create category for the new blog
echo '<p>Creating category '.$new_blog_stub.' for '.$new_blog_stub.'\'s blog...</p>';
$query = "INSERT INTO $tablecategories ( ";
$query .= "cat_name, ";
$query .= "cat_blog_ID ) ";
$query .= "VALUES ( ";
$query .= "'".$DB->escape($new_blog_stub)."', ";
$query .= "'".$DB->escape($new_blog_ID)."' )";
$DB->query( $query );

// get the new blogger ID number
$query = "SELECT ID from $tableusers WHERE user_login = ";
$query .= "'".$DB->escape($new_blog_stub)."'";
$new_blogger_ID = $DB->get_var($query);

// Set admin permissions for the new blog
echo '<p>Setting admin\'s permissions for '.$new_blog_stub.'...</p>';
$query = "INSERT INTO $tableblogusers ( ";
$query .= "bloguser_blog_ID, ";
$query .= "bloguser_user_ID, ";
$query .= "bloguser_ismember, ";
$query .= "bloguser_perm_poststatuses, ";
$query .= "bloguser_perm_delpost, ";
$query .= "bloguser_perm_comments, ";
$query .= "bloguser_perm_cats, ";
$query .= "bloguser_perm_properties ) ";
$query .= "VALUES ( ";
$query .= "'".$DB->escape($new_blog_ID)."', ";
$query .= "1, 1, 'published,protected,private,draft,deprecated', 1, 1, 1, 1 )";
$DB->query( $query );

// Set new blogger permissions for the new blog
echo '<p>Setting '.$new_blog_stub.'\'s permissions for '.$new_blog_stub.'...</p>';
$query = "INSERT INTO $tableblogusers ( ";
$query .= "bloguser_blog_ID, ";
$query .= "bloguser_user_ID, ";
$query .= "bloguser_ismember, ";
$query .= "bloguser_perm_poststatuses, ";
$query .= "bloguser_perm_delpost, ";
$query .= "bloguser_perm_comments, ";
$query .= "bloguser_perm_cats, ";
$query .= "bloguser_perm_properties ) ";
$query .= "VALUES ( ";
$query .= "'".$DB->escape($new_blog_ID)."', ";
$query .= "'".$DB->escape($new_blogger_ID)."', ";
$query .= "1, 'published,protected,private,draft,deprecated', 1, 1, 1, 1 )";
$DB->query( $query );

param( 'redirect_to', 'string', $admin_url.'/b2edit.php?blog='.$new_blog_ID );
// that was the hack
		

Okay what did that give you? A new user registers with login asdfghjkl. They get a blog named asdfghjkl and a category in that blog named asdfghjkl and they get redirected to the posting page for that blog. In other words, as near as I can tell, as soon as they register and login they get to the posting page. You, as the admin, also get permissions in their blog. You, as the hacker, can change some of their permissions if you like by hacking the hack a bit. For example you might not want them to be allowed to post published until you see what the write, or you might not want to allow them to create categories. Whatever - it's just a hack that gives them (the new blogger) full permissions over a specific blog.

I think I tested it completely. I dunno. Maybe it sucks horribly, or if you prefer, it is possible that this hack is not completely functional and therefore this post is in some way misleading.

One drawback is that by allowing users to edit or delete posts you allow them to edit or delete posts by anyone. Fix that with [url=http://wonderwinds.com/hackblog.php/2005/01/31/lim_iting_who_can_delete_edit_publish_po]this hack[/url] if you're into it.

2 Aug 15, 2005 06:07

Scuse me for bumping my own thread, but I found some drawbacks to this hack. As-is it does exactly what I said: a blogger gets a blog and a category and redirected to the posting page after logging in, but that's not enough.

The blogger can change his/her login name and the short name of the blog. This is bad because the hack depends on (login names === blog short names), and b2evo gets cranky when you duplicate those items. Since I don't use b2evo's methods to check for duplicity during blog creation the next best thing is to stop users from changing their login.

http://wonderwinds.com/hackblog.php/2005/08/14/automatically_create_a_blog_for_a_new_bl

Another flawback is that the new blogger could actually take away the admin's permissions for the blog. To me as an admin, that's just not acceptable. The blog link above also covers stopping that from happening.

Finally, you might want each blogger to only view stats for the blogs they can post in. http://forums.b2evolution.net/viewtopic.php?t=5010 covers that, with a pair of suggestions following my initial writeup. I think the first is not required (given that this hack gives admin full powers and doesn't allow a new blogger to take them away), but the second hack-on-hack seems smart.


Form is loading...