SMF Development > Feature Requests

"Administrate forum and database" permission split up

<< < (5/6) > >>

devil9394:

--- Quote from: 青山 素子 on April 20, 2012, 12:47:15 AM ---It's a good idea, but the only problem is that the replacement for the censored word can be any kind of thing at all, even JavaScript and arbitrary HTML. The feature would have to be re-written to not allow anything beyond basic bbcode to make it safe for granting to non-admins. Personally, I think it has merit.
--- End quote ---
Excuse me, but I did not understand pretty well what you meant. Are you saying that there has to be a replacement for the Censored Word option from posts and topics, so it could be added to lower ranks too?

emanuele:
I think the meaning is that to allow "lower ranks" to enter replacement for censored words, at least on saving they have to be passed through parse_bbc or preparsecode (don't remember which one is the important one...) because at the moment you can put any thing you want as replacement, even crappy html.

青山 素子:

--- Quote from: emanuele on April 21, 2012, 12:03:28 PM ---because at the moment you can put any thing you want as replacement, even crappy html.

--- End quote ---

Yeah, basically. Anyone with access to edit the censored words list can use any code they want and it's accepted. This is a security issue if you allow lower-trust users access to the feature.

devil9394:

--- Quote from: 青山 素子 on April 21, 2012, 01:13:26 PM ---
--- Quote from: emanuele on April 21, 2012, 12:03:28 PM ---because at the moment you can put any thing you want as replacement, even crappy html.

--- End quote ---

Yeah, basically. Anyone with access to edit the censored words list can use any code they want and it's accepted. This is a security issue if you allow lower-trust users access to the feature.

--- End quote ---
What if it will be made so the words that are added there will be automatically changed with a number of * equal to the number of the characters from the censored word?

Anyway, if this could be added as a permission to which rank you want, then it could be easily removed from the ranks that abuse it in that way, as it's very easy to edit the censored words list, and to take care of an abuse of it.

青山 素子:

--- Quote from: devil9394 on April 21, 2012, 03:11:04 PM ---What if it will be made so the words that are added there will be automatically changed with a number of * equal to the number of the characters from the censored word?

--- End quote ---

It's an option, but then you can't do word-replacement gags or substitutions (like changing "Voldemort" into "he-who-must-not-be-named"). It'd probably be better to just only allow bbcode for formatting and to strip or ignore raw HTML.



--- Quote from: devil9394 on April 21, 2012, 03:11:04 PM ---Anyway, if this could be added as a permission to which rank you want, then it could be easily removed from the ranks that abuse it in that way, as it's very easy to edit the censored words list, and to take care of an abuse of it.

--- End quote ---

It's not just abuse by people who have legitimate access, but if their accounts are compromised. I understand that someone who has admin-level access might also have this problem, but usually people that would have enough trust for that level of access would normally be more careful about that kind of thing.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version