xoops forums

sabahan

Quite a regular
Posted on: 2007/11/9 7:29
sabahan
sabahan (Show more)
Quite a regular
Posts: 317
Since: 2006/3/4 5
#1

protect admin's profile from other user ?

how do i block access to admin's profile (uid=1) from registered member and anonymous user

thanks...

Will_H

Friend of XOOPS
Posted on: 2007/11/9 13:04
Will_H
Will_H (Show more)
Friend of XOOPS
Posts: 1786
Since: 2004/10/10
#2

Re: protect admins profile from other user ?

htaccess? maybe.

Alex_Grey

Just popping in
Posted on: 2007/11/9 13:46
Alex_Grey
Alex_Grey (Show more)
Just popping in
Posts: 43
Since: 2007/6/16
#3

Re: protect admin's profile from other user ?

Below is some code for userinfo.php. it is set so only system_admin can view that profile.

$isAdmin $gperm_handler->checkRight'system_admin'XOOPS_SYSTEM_USER$groups);            // isadmin is true if user has 'edit users' admin rights

//Added Code
if ($uid == && !$isAdmin){
    
redirect_header('index.php'3_NOPERM); 
}
//End
“There is nothing impossible to him who will try.” ~Alex The Great~
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

xlurker

Just popping in
Posted on: 2007/11/9 20:47
xlurker
xlurker (Show more)
Just popping in
Posts: 7
Since: 2007/11/2
#4

Re: protect admin's profile from other user ?

Quote:

Alex_Grey wrote:
Below is some code for userinfo.php. it is set so only system_admin can view that profile.

$isAdmin $gperm_handler->checkRight'system_admin'XOOPS_SYSTEM_USER$groups);            // isadmin is true if user has 'edit users' admin rights

//Added Code
if ($uid == && !$isAdmin){
    
redirect_header('index.php'3_NOPERM); 
}
//End


Some people deliberately set uid 1 as a non-privileged or non-existent account for security reasons. Omitting that portion of the code and just checking for !$isAdmin is sufficient.

$isAdmin $gperm_handler->checkRight'system_admin'XOOPS_SYSTEM_USER$groups);            // isadmin is true if user has 'edit users' admin rights

//Added Code
if (!$isAdmin){
    
redirect_header('index.php'3_NOPERM); 
}
//End

sabahan

Quite a regular
Posted on: 2007/11/10 0:40
sabahan
sabahan (Show more)
Quite a regular
Posts: 317
Since: 2006/3/4 5
#5

Re: protect admins profile from other user ?

thank you

tom

Friend of XOOPS
Posted on: 2007/11/10 3:49
tom
tom (Show more)
Friend of XOOPS
Posts: 1359
Since: 2002/9/21
#6

Re: protect admins profile from other user ?

Out of pure interest, how does this help security wise, lets just imagine a hacker sees your site and wants to cause damage they could still find your UID from site info, or forums and news articles posted.

Unless of course the site in question is run in total secrecy and no admin account ever posted.

Was it Catz or Mith that introduced an account feature so you could have a username and a logon name to mask the important security details, would this not be of any serious help.

Sorry for the rather dull questions here, just intrigued to know what the real benefits are?

irmtfan

Module Developer
Posted on: 2007/11/10 4:03
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#7

Re: protect admins profile from other user ?

im afraid Tom,
but this great feature is not supported from anybody except me to add to 2.3 version.
http://xoops.wiki.sourceforge.net/2.2.x-2.0.x_differences
Not only security reason but also some facilities for non-english websites.

xlurker

Just popping in
Posted on: 2007/11/10 5:12
xlurker
xlurker (Show more)
Just popping in
Posts: 7
Since: 2007/11/2
#8

Re: protect admins profile from other user ?

Quote:

tom wrote:
Unless of course the site in question is run in total secrecy and no admin account ever posted.


If a webmaster never posts as the admin account, it makes it more difficult for the admin account to be sniffed out by casual queries. Given the DB structure of XOOPS, though, a knowledgeable hacker could circumvent this in seconds, provided they could perform DB queries that are unchecked.

tom

Friend of XOOPS
Posted on: 2007/11/10 5:36
tom
tom (Show more)
Friend of XOOPS
Posts: 1359
Since: 2002/9/21
#9

Re: protect admins profile from other user ?

Quote:

im afraid Tom,
but this great feature is not supported from anybody except me to add to 2.3 version.
http://xoops.wiki.sourceforge.net/2.2.x-2.0.x_differences
Not only security reason but also some facilities for non-english websites.


Would this possibly improve security?

And if so, why are there do many opposed to it?

Quote:
If a webmaster never posts as the admin account, it makes it more difficult for the admin account to be sniffed out by casual queries. Given the DB structure of XOOPS, though, a knowledgeable hacker could circumvent this in seconds, provided they could perform DB queries that are unchecked.


Lets assume they don't have access to query the database, if they knew the UID admin account, whats the method they would use, would this be a brute force?

Or some kind of script that tries random passwords (I suppose brute too in a way).

If so should we not adopt what other forum software's do and allow only 5 failed attempts, then make the person wait 15 minutes, then 30 minutes, then 60 minutes and so on to try again until they either use the new password to E-mail feature or give up?

Catzwolf

Home away from home
Posted on: 2007/11/10 8:41
Catzwolf
Catzwolf (Show more)
Home away from home
Posts: 1392
Since: 2007/9/30
#10

Re: protect admins profile from other user ?

Quote:

tom wrote:
Would this possibly improve security?

And if so, why are there do many opposed to it?


I for one am not opposed to it and I believe that it should be part of the core as an extra method of security. In my eyes displaying someones login name is like giving you half the keys to my house. I have heard all the agruements such as it is another name to remember, well in fact in reality it is not. The user still only has a log in name and password to remember, just means that that you will have to fill in an extra display name when you register.

Quote:
If a webmaster never posts as the admin account, it makes it more difficult for the admin account to be sniffed out by casual queries. Given the DB structure of XOOPS, though, a knowledgeable hacker could circumvent this in seconds, provided they could perform DB queries that are unchecked.


Actually, it doesn't really matter whos account a hacker gets into, if someone wants admin access they really don't need the webmaster account at all. so hidding it won't make the slighest bit of difference. Plus UID should give you a big clue anyway.

Quote:

Or some kind of script that tries random passwords (I suppose brute too in a way).


Ahh password, MD5 hash broken, stolen databases with MD5 hashes, script kiddie paradise.

I have been looking into this and the only sure method of password protection is salting a password. Ie is a database is stolen then the passwords MD5 would then become useless under this method. Joomla has introduced this method and so has many other php software.

Quote:

If so should we not adopt what other forum software's do and allow only 5 failed attempts, then make the person wait 15 minutes, then 30 minutes, then 60 minutes and so on to try again until they either use the new password to E-mail feature or give up?


I find this annoying more than anything, but I agree something like this should be implented within Xoops.

I also believe that some type of logging ability be added to Xoops. This way it would give an admin the ability to see failed log in attempts, Ip address and other such things.