1 rnjonjo Sep 28, 2006 00:01
3 clicks Sep 28, 2006 18:43
I have to agree with rnjonjo.
Having the ability to edit the posts of other users leaves a Web site "WIDE OPEN" for abuse and could potentially drop a Web site to it's knees.
One could respond by saying: "Well, you should know the community you are allowing to blog on your site and it should be this wonderful harmonious utopian society where everyone respects everyone else's blogs".
I wish it were so and in a perfect world it might happen.
It really seems that the number one feature the app currently lacks, is a "lock down user" feature. Even the Drupal Blog app provides a feature to preclude users from editing the posts of other users and it's blog features are inferior to b2evo.
Would it be possible to write a conditional statement for the admin module to only display content based on the logged in users ID?
Clicks.
4 edb Sep 28, 2006 19:09
Let's understand that b2evolution is NOT an open blog app. When you install it and use it YOU are in charge of it. If you allow blogging permissions to anyone and everyone then that's what YOU have chosen to do.
The feature you ask for is a common request, but be aware that allowing multiple authors the permission to edit is also a commonly used feature. How common? Everyone that submits a keyword to the antispam site is either creating a new post OR editing a post someone else created. When we publish or deprecate a keyword we're also editing a post created by a different author. Yup: antispam is a multi-author blog where all players edit posts created by one player.
AFAIK if each new blogger has their own blog, including permission to post in ONLY that blog then they won't be able to edit a post in a different blog. So the only time there is a problem for some blog owners is when you let multiple bloggers post (and edit) in the same blog.
Anyway it's a good idea to have "disable edit of posts by other authors" as an option on a per-blog basis. Obviously this should exclude the admin from editing anything because, well, it's the admin's blog. Back in the old days there were a couple of different ways to hack this. So far I don't think it's been done for the 1.8.* generation.
5 clicks Sep 28, 2006 19:54
Thanks Ed:
Anyway it's a good idea to have "disable edit of posts by other authors" as an option on a per-blog basis. Obviously this should exclude the admin from editing anything because, well, it's the admin's blog. Back in the old days there were a couple of different ways to hack this. So far I don't think it's been done for the 1.8.* generation.
So...... are you up for the challenge? ;)
Clicks
6 rnjonjo Sep 28, 2006 20:37
Yeah EdB (SuperGuru)
are u up to the task of making the hack?
right now that is the number one most important feature for my blog.
so much so, that I even spent hours looking at wordpress and nucleas, seeing how they work.
You could even charge for such a hack (I would be a customer).
what say you?
7 edb Sep 28, 2006 20:47
I just adopted a web that was completely custom code including a butchered up phpbb forum and am putting a ton of energy into making it be b2evolution-driven with a reasonably stock phpbb installation, so I'm kinda busy now, but yeah: I already figured I'd do this one if I can.
It will NOT be a plugin, so it won't be forward-compatible - unless someone keeps it upgraded. I used to upgrade my hacks, or at least the popular ones, but the changes from 0.9.* to 1.* were pretty complex... Therefore I don't really understand the plugin thing yet so all I can do is hack.
Tell ya what: if I get a hack out and you think it's a good hack and it adds value to your installation then you make a donation to the b2evolution project. I don't do code for money, but b2evolution needs money to keep the wheels on the tracks. Sound like a fair deal to you?
The project I'm on is killing me. I want to make a groovy installation flexing b2evolution in several different directions, but I spend tons of time learning the stupid phpbb thing. It, all by itself, can't do *anything* to stop spammers. Talk about lame...
8 clicks Sep 28, 2006 21:27
Soooooo.................. EdB a/k/a SuperGuru
Is that an emphatic yes, no, no not right now, yes if I donate (which I will be more than happy to do), not now but after my project?
(In case you are thinking you are being ganged-up upon, yes you are being ganged-up upon) :lol:
So, Ed, what was the approximate date you mentioned that you might have a hack for this?
Clicks.
9 balupton Sep 28, 2006 21:41
Ok figured i'll jump aboard this boat as well ;)
So.... If i understand this correctly, you have set your permissions to not allow this, and yet they are able to :S
If so, is this a problem with b2evolution, or with the hacks/plugins you have installed to give yourself this extra functionality....
Just a little bit lost here ;) This boat has been out for days, it was quite a long swim ;)
Edit, btw EdB, gotta rekon it's bout time you jump on the Plugins boat as well :lol:
10 rnjonjo Sep 28, 2006 22:09
Tell ya what: if I get a hack out and you think it's a good hack and it adds value to your installation then you make a donation to the b2evolution project. I don't do code for money, but b2evolution needs money to keep the wheels on the tracks. Sound like a fair deal to you?
abso-friggin'-lutely ! That's more than fair! that's excellent!
So.... If i understand this correctly, you have set your permissions to not allow this, and yet they are able to :S
If so, is this a problem with b2evolution, or with the hacks/plugins you have installed to give yourself this extra functionality....
Just a little bit lost here
I have tried NUMEROUS combinations of the permissions (took me hours, BTW). Before I realized that it's just the way b2 is set up to be. It's got nothing to do with setting up permissions.
Once you give your users permission to write, then they can also edit. ANY POST.
And I have no hacks, to speak of. Only the plugins. But from perusing the WWW and this forum itself, it's clear that it's not the plugins or the hacks...just the app.
which is why we are ganging up on EdB so that he can "hack" this...
still lost?
11 rnjonjo Sep 28, 2006 22:14
Ohhh...
I also jotted a quick email to F. Planque (he's the original creator of the b2 app.) asking him if he can help me (or us) out.
still waiting for the reply though. (he must get a ton of them)
12 balupton Sep 28, 2006 22:21
Once you give your users permission to write, then they can also edit. ANY POST.
Yeesh.... Ok.... Hrm..... Makes sense....
I also jotted a quick email to F. Planque (he's the original creator of the b2 app.) asking him if he can help me (or us) out.
Hehe, we know who he is ;) But yeh, he's extremely busy, if your email does get through, it'll be like a few weeks before you get a reply. I'll give blueyed a buzz (he's the co-developer), because yeh, this request should be in b2evo by default, i'll go post a new thread about it now, and we can demand it together.
13 rnjonjo Sep 28, 2006 22:26
I'll give blueyed a buzz (he's the co-developer), because yeh, this request should be in b2evo by default, i'll go post a new thread about it now, and we can demand it together.
hey that's very neat that you're going to do that! Thanks a lot balupton!
14 balupton Sep 28, 2006 22:30
15 edb Sep 28, 2006 22:34
Not ganging up - no worries there. It's a very common thing to request, but not something that I think the dev team is going after. I could be VERY wrong on that! I get a little bit of 'insider' info, but I'm not on the dev team and don't speak for them. So I got no date in mind. I do stuff haphazardly at best. I get tired of phpbb so I try to tweak my new installation's skin to be what I want. And add content when the mood strikes. Boy. I'm as bad as b2evolution about providing a date for release eh?
So let's review. b2evolution is built so that if a member of a blog has edit permission he/she can edit any post in that blog. Lots of people want it so that each blogger can edit their stuff but not stuff by other authors. The last time I hacked this I thought I did good but found out a creative blogger could tweak the URL to get access to edit posts by someone else. So this time I know to go one step deeper, but since the steps changed I don't even know where to begin.
Okay here's a promise: I will dig into code tomorrow to see if I can make this happen. Another promise: I will let this thread know if I make any progress or not. Another promise: whatever I get done I will share in this thread. Notice I didn't promise to actually deliver a working product ;)
Final thought for the day: I have no way of knowing if someone donates money or not. Someone offered to pay for it, so "throw the project a bone instead of some guy" seemed like a good idea to me. My personal motivation to do this is because it's stuff I like to do.
--------
Yeah I know - I gotta get hip to the plugin game. plugins are cool, but being a copy/paste hack dude I gotta see plugins that get close to what I want then hack a couple of them together.
16 balupton Sep 28, 2006 22:44
Not ganging up - no worries there. It's a very common thing to request, but not something that I think the dev team is going after. I could be VERY wrong on that! I get a little bit of 'insider' info, but I'm not on the dev team and don't speak for them.
Well we'll see aye, I'm actually suprised this ain't in b2evo by default, to me it's a big security problem, but thats just me.
Boy. I'm as bad as b2evolution about providing a date for release eh?
Haha arn't we all ;)
Yeah I know - I gotta get hip to the plugin game. plugins are cool, but being a copy/paste hack dude I gotta see plugins that get close to what I want then hack a couple of them together.
Or what you could do is get the Test Plugin, and then hack that to shreds!
Okay here's a promise: I will dig into code tomorrow to see if I can make this happen. Another promise: I will let this thread know if I make any progress or not. Another promise: whatever I get done I will share in this thread. Notice I didn't promise to actually deliver a working product
Anywho, I'm always here to brainstorm, i would imagine it would be a easy hack just to make it so they can only edit their own posts, but a much longer and difficult hack to make it so the post and edit permissions are totally seperate.
So yeh, if you want to start the techie talk, let's get down and dirty :> (needs a more kinky smilie ;))
17 clicks Sep 29, 2006 04:22
Could someone please tell me where I could comment out the right hand column of "edit.gif" hyperlinks shown in this screen view?
Could you please let me know the path and files that are called for those links?
18 balupton Sep 29, 2006 04:41
Just change the following
// Display edit button if current user has the rights:
$r = $Item->get_edit_link( ' ', ' ', get_icon( 'edit' ), '#', '' );
to
$r = '';
In the relevant files in /blogs/inc/VIEW/items/
19 clicks Sep 29, 2006 05:02
Thanks balupton.
I wish I would have asked you where this was before I spent 3 hours looking for it.
Clicks.
20 edb Sep 29, 2006 08:24
Go deeper! Go where "if the user has rights" is answered and ask a few more questions about rights, but first ask yourself if hiding the link(s) is good enough. I'm pretty sure that a malicious user could look at the URL when they edit a post they're allowed to edit and figure out how to edit a post they're not supposed to edit. In other words hiding the link doesn't hide the function. Having said that, and having more than my fill of phpbb mods, let's do this like phpbb mods get done.
Backup your files first! In version 1.8.2 open inc/MODEL/items/_item.class.php in your favorite editor.
FIND:
{ // User has right to delete this post
return false;
}
AFTER ADD:
if( $current_User->ID != $this->creator_user_ID ) { // current user is NOT the author
// use one of the three following lines to allow some higher-level permissions
if( $current_User->ID != 1 ) { // current user is NOT the admin
// if( $current_User->level <= 5 ) { // current user is NOT a high enough level
// if( $current_User->Group->ID != 1 ) { // current user is NOT in the admin group
return false;
}
}
FIND:
{ // User has no right to edit this post
return false;
}
AFTER ADD:
if( $current_User->ID != $this->creator_user_ID ) { // current user is NOT the author
// use one of the three following lines to allow some higher-level permissions
if( $current_User->ID != 1 ) { // current user is NOT the admin
// if( $current_User->level <= 5 ) { // current user is NOT a high enough level
// if( $current_User->Group->ID != 1 ) { // current user is NOT in the admin group
return false;
}
}
FIND:
{ // User has no right to publish this post now:
return false;
}
AFTER ADD:
if( $current_User->ID != $this->creator_user_ID ) { // current user is NOT the author
// use one of the three following lines to allow some higher-level permissions
if( $current_User->ID != 1 ) { // current user is NOT the admin
// if( $current_User->level <= 5 ) { // current user is NOT a high enough level
// if( $current_User->Group->ID != 1 ) { // current user is NOT in the admin group
return false;
}
}
FIND:
{ // User has no right to publish this post now:
return false;
}
AFTER ADD:
if( $current_User->ID != $this->creator_user_ID ) { // current user is NOT the author
// use one of the three following lines to allow some higher-level permissions
if( $current_User->ID != 1 ) { // current user is NOT the admin
// if( $current_User->level <= 5 ) { // current user is NOT a high enough level
// if( $current_User->Group->ID != 1 ) { // current user is NOT in the admin group
return false;
}
}
Save yer file and upload, then be amazed at how the various action links only show up on posts you've authored unless you're the admin. Notice how you added the same thing 4 times? Notice the bit that says
// use one of the three following lines to allow some higher-level permissions
if( $current_User->ID != 1 ) { // current user is NOT the admin
// if( $current_User->level <= 5 ) { // current user is NOT a high enough level
// if( $current_User->Group->ID != 1 ) { // current user is NOT in the admin group
The way it's written the one-and-only admin (ID #1) will see the link for all actions on all posts. Comment out that line and uncomment the next to allow any user of sufficient level (in this case I picked 'greater than 5') to see all the action links. Uncomment only the third line to allow all members of group #1 (typically the admin group) to see all the action links.
--------
Understand that this most likely will not stop a malicious user from manually crafting a URL that will allow them to edit someone else's post! If your users are the type to be crafty like that why are you giving them a blog, but since you are you'll need to go one step deeper. The problem is I don't know what that step would be. Clearly you want to stop them from being able to submit an edit (or any other action), but so far I haven't been able to tinker my way to that level. Yet. I'm half a day ahead of my promised schedule, so maybe I'll find where the actions actually happen before balupton does...
21 balupton Sep 29, 2006 08:38
Understand that this most likely will not stop a malicious user from manually crafting a URL that will allow them to edit someone else's post!
As long as you surround load_from_Request inside that validation checker it would be good, and also have a else with the following
$Request->Messages->add( T_('You do not have permission to edit this post.'), 'error' );
It will be fine.
Edit, heres the hack i mentioned.
Find
/**
* Load data from Request form fields.
*
* @param boolean true to force edit date (as long as perms permit)
* @return boolean true if loaded data seems valid.
*/
function load_from_Request( $force_edit_date = false )
{
global $Request, $default_locale, $allowed_uri_scheme, $Plugins, $current_User;
Replace with
/**
* Load data from Request form fields.
*
* @param boolean true to force edit date (as long as perms permit)
* @return boolean true if loaded data seems valid.
*/
function load_from_Request( $force_edit_date = false )
{
global $Request, $default_locale, $allowed_uri_scheme, $Plugins, $current_User;
if( $current_User->ID != $this->creator_user_ID ) { // current user is NOT the author
if( $current_User->ID != 1 ) // current user is NOT the admin
// if( $current_User->level <= 5 ) // current user is NOT a high enough level
// if( $current_User->Group->ID != 1 ) // current user is NOT in the admin group
$Request->Messages->add( T_('You do not have permission to edit this post.'), 'error' );
} else
{
Then keep going and find
return ! $Request->validation_errors();
}
and replace with
}
return ! $Request->validation_errors();
}
And your good
22 topanga Sep 29, 2006 08:44
balupton wrote:
Not ganging up - no worries there. It's a very common thing to request, but not something that I think the dev team is going after. I could be VERY wrong on that! I get a little bit of 'insider' info, but I'm not on the dev team and don't speak for them.
Well we'll see aye, I'm actually suprised this ain't in b2evo by default, to me it's a big security problem, but thats just me.
For me it was a very nice feature!
So it allways depends on how you are looking at things to see it as a feature or as a flaw..
There will never be an ideal situation for everybody I suppose..
23 balupton Sep 29, 2006 12:25
For me it was a very nice feature!
So it allways depends on how you are looking at things to see it as a feature or as a flaw..There will never be an ideal situation for everybody I suppose..
Yeh, that's why i opened up the other topic suggesting a split of permissions, that way everyone becomes happy :)
24 clicks Sep 29, 2006 15:46
Thanks EdB.
I was working on a similar solution last night where I compared 'preferred name' with 'login' name and then used != 1 to for admin. I figured there would be an admin and then everyone else. I think your solution is more scalable with having a group option between admin and basic user.
The reason I asked about the right column in a few threads above this one, is because the following file also needs to be addressed but it seems like this one is an "all or nothing at all" i.e. all edit links or none - unless in your extensive programming wisdom you have a way to have the links appear if 'admin' and not if 'user'. :
\inc\VIEW\items\_browse_tracker.inc.php
25 balupton Sep 29, 2006 16:20
The reason I asked about the right column in a few threads above this one, is because the following file also needs to be addressed but it seems like this one is an "all or nothing at all" i.e. all edit links or none - unless in your extensive programming wisdom you have a way to have the links appear if 'admin' and not if 'user'. :
Why would that file need to be addressed after applying EdB's hack?
A bit offtopic question for EdB.
if( $current_User->ID != 1 ) { // current user is NOT the admin
// if( $current_User->level <5>Group->ID != 1 ) { // current user is NOT in the admin group
You would imagine there would be a simplier way of doing this. As it would be apear quite a lot. Like $current_User->has_admin_permissions.
26 edb Sep 29, 2006 17:20
I figure the column would stay there because the posts page(s) will show all posts - those a user can edit and those they can't. So...
On the ID / level / group thing: I went with three simple numbers b2evolution applies to all users. Everyone has a login ID, has a level, and is in a group. If there is a fourth method then people can opt to use that instead.
Hey didja notice how the code section in your post looks funny? You have to disable smilies or html in the post in order for the "<5>" to turn into 2 lines again. When I first did the hack I used ">=5" and noticed when I was making the post. Since that's no good I changed it - and saw the funny version.
27 balupton Sep 29, 2006 17:36
Yeh ;)
You want to properly turn that fix i mentioned a few posts back into a hack, so we can all sleep easily tonight ;)
28 clicks Sep 29, 2006 19:53
EdB:
I'm still looking at the ramifications of the snippet I built last night to show/hide based on authentication permissions.
I found that my _main.php breaks at:
<?php $Item->edit_link( ' • ' ) // Link to backoffice for editing ?>
and works if I comment it
<?php // $Item->edit_link( ' • ' ) // Link to backoffice for editing ?>
I'll have to modify my code or start working with yours if your code doesn't break _main.php.
Did you happen to notice if your _main.php breaks at this point on the first post of the page if you are not logged in with privilege to use "Edit"?
Clicks.
29 edb Sep 29, 2006 20:07
No, but since I never log out and am my only blogger...
So each place you installed that bit I wrote is for a possible action. One of the 4 is for the edit link. At that instance try wrapping the new bit in another conditional statement, like this:
if( is_logged_in() ) {
// the double-conditional described above
}
In the back office you're known to be logged in, so I didn't give any thought to the front side. As you've seen, when someone is not logged in the new bit chokes because the new bit assumes the visitor has a login ID. I'm pretty sure this will clear up your bug. Let me know, and if need be I'll throw down a test installation and register a few times then make a few posts then do this hack then see how to fix it.
Now I gotta figure out paypal. Googling for paypal showed me as the #2 response a website called paypalsucks. Hmmm... But if the club wants it then it's what the webdude does eh?
30 balupton Oct 12, 2006 16:32
Updated my previous post to include the hack i mentioned.
31 balupton Dec 16, 2006 16:58
Topic has been split.
A Plugin is avaliable/under-development to achieve the same functionality as the hack posted a few posts ago be EdB which is the goal of this topic.
The plugin's topic is now here;
http://forums.b2evolution.net//viewtopic.php?t=10235
This is not a solution, but I can tell you that what you notice, is 'normal standard' behaviour..
You can change that with change of the core files, but at this point, I can't tell you how..
That was the same in the earlier versions though... so how did you managed to change it there ?