1
sabahan
protect admin's profile from other user ?
  • 2007/11/9 7:29

  • sabahan

  • Quite a regular

  • Posts: 317

  • Since: 2006/3/4 5


how do i block access to admin's profile (uid=1) from registered member and anonymous user

thanks...

2
Will_H
Re: protect admins profile from other user ?
  • 2007/11/9 13:04

  • Will_H

  • Friend of XOOPS

  • Posts: 1786

  • Since: 2004/10/10


htaccess? maybe.

3
Alex_Grey
Re: protect admin's profile from other user ?
  • 2007/11/9 13:46

  • Alex_Grey

  • Just popping in

  • Posts: 43

  • Since: 2007/6/16


Below is some code for userinfo.php. it is set so only system_admin can view that profile.

$isAdmin $gperm_handler->checkRight'system_admin'XOOPS_SYSTEM_USER$groups);            // isadmin is true if user has 'edit users' admin rights

//Added Code
if ($uid == && !$isAdmin){
    
redirect_header('index.php'3_NOPERM); 
}
//End
“There is nothing impossible to him who will try.” ~Alex The Great~
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

4
xlurker
Re: protect admin's profile from other user ?
  • 2007/11/9 20:47

  • xlurker

  • Just popping in

  • Posts: 7

  • Since: 2007/11/2


Quote:

Alex_Grey wrote:
Below is some code for userinfo.php. it is set so only system_admin can view that profile.

$isAdmin $gperm_handler->checkRight'system_admin'XOOPS_SYSTEM_USER$groups);            // isadmin is true if user has 'edit users' admin rights

//Added Code
if ($uid == && !$isAdmin){
    
redirect_header('index.php'3_NOPERM); 
}
//End


Some people deliberately set uid 1 as a non-privileged or non-existent account for security reasons. Omitting that portion of the code and just checking for !$isAdmin is sufficient.

$isAdmin $gperm_handler->checkRight'system_admin'XOOPS_SYSTEM_USER$groups);            // isadmin is true if user has 'edit users' admin rights

//Added Code
if (!$isAdmin){
    
redirect_header('index.php'3_NOPERM); 
}
//End

5
sabahan
Re: protect admins profile from other user ?
  • 2007/11/10 0:40

  • sabahan

  • Quite a regular

  • Posts: 317

  • Since: 2006/3/4 5


thank you

6
tom
Re: protect admins profile from other user ?
  • 2007/11/10 3:49

  • tom

  • Friend of XOOPS

  • Posts: 1359

  • Since: 2002/9/21


Out of pure interest, how does this help security wise, lets just imagine a hacker sees your site and wants to cause damage they could still find your UID from site info, or forums and news articles posted.

Unless of course the site in question is run in total secrecy and no admin account ever posted.

Was it Catz or Mith that introduced an account feature so you could have a username and a logon name to mask the important security details, would this not be of any serious help.

Sorry for the rather dull questions here, just intrigued to know what the real benefits are?

7
irmtfan
Re: protect admins profile from other user ?
  • 2007/11/10 4:03

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


im afraid Tom,
but this great feature is not supported from anybody except me to add to 2.3 version.
http://xoops.wiki.sourceforge.net/2.2.x-2.0.x_differences
Not only security reason but also some facilities for non-english websites.

8
xlurker
Re: protect admins profile from other user ?
  • 2007/11/10 5:12

  • xlurker

  • Just popping in

  • Posts: 7

  • Since: 2007/11/2


Quote:

tom wrote:
Unless of course the site in question is run in total secrecy and no admin account ever posted.


If a webmaster never posts as the admin account, it makes it more difficult for the admin account to be sniffed out by casual queries. Given the DB structure of XOOPS, though, a knowledgeable hacker could circumvent this in seconds, provided they could perform DB queries that are unchecked.

9
tom
Re: protect admins profile from other user ?
  • 2007/11/10 5:36

  • tom

  • Friend of XOOPS

  • Posts: 1359

  • Since: 2002/9/21


Quote:

im afraid Tom,
but this great feature is not supported from anybody except me to add to 2.3 version.
http://xoops.wiki.sourceforge.net/2.2.x-2.0.x_differences
Not only security reason but also some facilities for non-english websites.


Would this possibly improve security?

And if so, why are there do many opposed to it?

Quote:
If a webmaster never posts as the admin account, it makes it more difficult for the admin account to be sniffed out by casual queries. Given the DB structure of XOOPS, though, a knowledgeable hacker could circumvent this in seconds, provided they could perform DB queries that are unchecked.


Lets assume they don't have access to query the database, if they knew the UID admin account, whats the method they would use, would this be a brute force?

Or some kind of script that tries random passwords (I suppose brute too in a way).

If so should we not adopt what other forum software's do and allow only 5 failed attempts, then make the person wait 15 minutes, then 30 minutes, then 60 minutes and so on to try again until they either use the new password to E-mail feature or give up?

10
Catzwolf
Re: protect admins profile from other user ?
  • 2007/11/10 8:41

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


Quote:

tom wrote:
Would this possibly improve security?

And if so, why are there do many opposed to it?


I for one am not opposed to it and I believe that it should be part of the core as an extra method of security. In my eyes displaying someones login name is like giving you half the keys to my house. I have heard all the agruements such as it is another name to remember, well in fact in reality it is not. The user still only has a log in name and password to remember, just means that that you will have to fill in an extra display name when you register.

Quote:
If a webmaster never posts as the admin account, it makes it more difficult for the admin account to be sniffed out by casual queries. Given the DB structure of XOOPS, though, a knowledgeable hacker could circumvent this in seconds, provided they could perform DB queries that are unchecked.


Actually, it doesn't really matter whos account a hacker gets into, if someone wants admin access they really don't need the webmaster account at all. so hidding it won't make the slighest bit of difference. Plus UID should give you a big clue anyway.

Quote:

Or some kind of script that tries random passwords (I suppose brute too in a way).


Ahh password, MD5 hash broken, stolen databases with MD5 hashes, script kiddie paradise.

I have been looking into this and the only sure method of password protection is salting a password. Ie is a database is stolen then the passwords MD5 would then become useless under this method. Joomla has introduced this method and so has many other php software.

Quote:

If so should we not adopt what other forum software's do and allow only 5 failed attempts, then make the person wait 15 minutes, then 30 minutes, then 60 minutes and so on to try again until they either use the new password to E-mail feature or give up?


I find this annoying more than anything, but I agree something like this should be implented within Xoops.

I also believe that some type of logging ability be added to Xoops. This way it would give an admin the ability to see failed log in attempts, Ip address and other such things.

Login

Who's Online

373 user(s) are online (211 user(s) are browsing Support Forums)


Members: 0


Guests: 373


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits