1
Peekay
Xdirectory unauthorised listing changes
  • 2005/4/12 22:03

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Xoops 2.0.10 RC
Xdirectory 1.5.

I have been testing XOOPS modules by logging in under different usernames from the same computer. I just installed Xdirectory and was surprised to discover I can submit a modification to a listing made by another user.

Is this because it uses my IP address instead of the username to validate the listing owner? Or is it a bug?

** Edit **

Just discovered that the modification is submitted for approval by admin, who can choose to ignore it. The submitter's username is shown alongside the proposed changes, along with the listing owner's username.

This is a really nice module

...but I can't see the point of allowing anyone to submit changes for a listing other than the owner. I can see it being abused. An unwary admin could easily accept the changes, which could be deliberately detrimental.

2
tripmon
Re: Xdirectory unauthorised listing changes
  • 2005/4/22 20:33

  • tripmon

  • Module Developer

  • Posts: 462

  • Since: 2004/2/28


when you use 'modify listing' it requires admin approval prior to changes being made to the links database table. There is another table that holds the modified versions.

Say you as the admin enter 100 listings, then the owners of the listing you have entered wants to change their listing info... they can use the modify form and you as the admin must decide wether to update the data or not.

It would make more sense if there was an assign ownership function in the admin.... maybe I'll put that into the next mx-dir beta.

Bottom line is that the modify listing does not modify the data from the links table, so does not change the actual listing, UNTIL the admin approves it.

3
Peekay
Re: Xdirectory unauthorised listing changes
  • 2005/4/22 22:07

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


That's true. Admin has to approve the changes. I just think a busy admin could easily approve a bogus upgrade request unless they are paying attention.

For example, I register as tripman and change one number in your listing's phone number.

Perhaps nobody would be that devious!

4
builderb
Re: Xdirectory unauthorised listing changes
  • 2005/4/22 23:16

  • builderb

  • Not too shy to talk

  • Posts: 137

  • Since: 2003/8/4 2


The reason we kept it this way is so the site owner can populate the database with a "starter list" (you can acquire business lisings from a number of different sources). This is usually done without the business owners knowing. When they happen upon your site and find their listing they will most likely try to make changes or add info.

Giving anyone the ability to modify a listing is good because it engages the business owner and gives you a sales lead. YOU SHOULD ALWAYS FOLLOW UP WITH MODIFIED LISTINGS! you have a really good chance to upgrade their listing from a free one to a sponsored one once they've seen you site. If they try to make a change to their listing that means they feel like their potential customers are going to be seeing it on your site.

If it turns out to be a hoax....no biggie, you got to talk to the business owner and let them know you exist! and that people are using it!

5
Peekay
Re: Xdirectory unauthorised listing changes
  • 2005/4/23 1:10

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Hi builderb. I understand your point. I didn't realise that you could populate the module from a purchased list. I can see the ownership issue and the sales lead opportunity too.

As you point out though, it is very important for admins to validate the authority of the person requesting any changes. I will make a stronger point of this when explaining how the module works.

Login

Who's Online

146 user(s) are online (32 user(s) are browsing Support Forums)


Members: 0


Guests: 146


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits