"Administrate forum and database" permission split up

Started by devil9394, April 10, 2012, 01:29:44 PM

Previous topic - Next topic

devil9394

Quote from: 青山 素子 on April 20, 2012, 12:47:15 AM
It's a good idea, but the only problem is that the replacement for the censored word can be any kind of thing at all, even JavaScript and arbitrary HTML. The feature would have to be re-written to not allow anything beyond basic bbcode to make it safe for granting to non-admins. Personally, I think it has merit.
Excuse me, but I did not understand pretty well what you meant. Are you saying that there has to be a replacement for the Censored Word option from posts and topics, so it could be added to lower ranks too?

emanuele

I think the meaning is that to allow "lower ranks" to enter replacement for censored words, at least on saving they have to be passed through parse_bbc or preparsecode (don't remember which one is the important one...) because at the moment you can put any thing you want as replacement, even crappy html.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

青山 素子

Quote from: emanuele on April 21, 2012, 12:03:28 PM
because at the moment you can put any thing you want as replacement, even crappy html.

Yeah, basically. Anyone with access to edit the censored words list can use any code they want and it's accepted. This is a security issue if you allow lower-trust users access to the feature.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


devil9394

Quote from: 青山 素子 on April 21, 2012, 01:13:26 PM
Quote from: emanuele on April 21, 2012, 12:03:28 PM
because at the moment you can put any thing you want as replacement, even crappy html.

Yeah, basically. Anyone with access to edit the censored words list can use any code they want and it's accepted. This is a security issue if you allow lower-trust users access to the feature.
What if it will be made so the words that are added there will be automatically changed with a number of * equal to the number of the characters from the censored word?

Anyway, if this could be added as a permission to which rank you want, then it could be easily removed from the ranks that abuse it in that way, as it's very easy to edit the censored words list, and to take care of an abuse of it.

青山 素子

Quote from: devil9394 on April 21, 2012, 03:11:04 PM
What if it will be made so the words that are added there will be automatically changed with a number of * equal to the number of the characters from the censored word?

It's an option, but then you can't do word-replacement gags or substitutions (like changing "Voldemort" into "he-who-must-not-be-named"). It'd probably be better to just only allow bbcode for formatting and to strip or ignore raw HTML.


Quote from: devil9394 on April 21, 2012, 03:11:04 PM
Anyway, if this could be added as a permission to which rank you want, then it could be easily removed from the ranks that abuse it in that way, as it's very easy to edit the censored words list, and to take care of an abuse of it.

It's not just abuse by people who have legitimate access, but if their accounts are compromised. I understand that someone who has admin-level access might also have this problem, but usually people that would have enough trust for that level of access would normally be more careful about that kind of thing.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


emanuele

Wellllll.....there could be two things: a "proper" censoring where words are replaced by asterisks and a string-replacement.
The first a mere list of words that can be added by "moderators", the second an admin thing.

* emanuele said nothing!


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

devil9394

Quote from: emanuele on April 22, 2012, 05:59:56 AM
Wellllll.....there could be two things: a "proper" censoring where words are replaced by asterisks and a string-replacement.
The first a mere list of words that can be added by "moderators", the second an admin thing.

* emanuele said nothing!
So you are suggesting to let the current censored list there, and just add a new one with that function for lower staff member ranks? If so, then I agree with that too.

Hathor

Quote from: devil9394 on April 10, 2012, 01:29:44 PM
I wanted to suggest something related to the Permissions.

"Administrate forum and database" permission should be split up in some other options, since there are some important things that could be added to some ranks, without giving the access of the most important and secret things of the forum (Package Manager, to all the Configuration Permissions)

- Censored List (from Posts and Topics): This list could be edited by other ranks, without having access to the Package Manager, to all the Configuration Permissions, etc.

And I don't know, if you think some more things from there could be split up, it'd be very good.

Ancient thread, but i'll bite. I renamed Administrator group to Webmaster and created a new administrator group. The new admin group had access to everything they needed for administrating the forum, minus database access.

Advertisement: