Uutiset:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu
Advertisement:

Suggested default change for Member Permissions

Aloittaja Douglas, syyskuu 30, 2004, 01:00:44 IP

« edellinen - seuraava »
Tulosta
Siirry alas Sivuja1
Käyttäjän toimet

Douglas

syyskuu 30, 2004, 01:00:44 IP
This is a major problem that I've seen occuring on quite a few sites, and I really think the default permission needs to be changed.

Right now, default is to allow members to delete their own accounts.  EVERY message board that I've ever been to, by default, restricts account deletion to administrators.  The main admin account is also protected from deletion (vBulletin does this, and it's a hard coded variable in the config file).

Can we please do two things here?

Change the default Membership permission so that no one but Admins can delete anyone's accounts?  If someone wants to allow people to delete their account, then they can go in and manually authorize it.

Set up a new field in Settings.php called $protected_accounts and have it list, by ID number, default is always 1, the accounts that are prevented from being deleted, password or email address change.  Should be comma separated to allow for more than one protected account.  This could also be applied to prevent anyone but the owner of that account to edit/delete posts/threads made by that person.

Two very much neeeded security enhancements in my eye.  Hope y'all would consider it.  :)
Doug Hazard
* Full Stack (Web) Developer for The Catholic Diocese of Richmond
(20+ Diocesan sites, 130+ Church sites & 24 School sites)
* HBCUAC.org Web Developer, the NAIA's only HBCU Athletic Conference
* Former Sports Photographer and Media Personality and Former CFB Historian
* Tech Admin for one 2.9M+ post and one 11.6M+ post sites. Used to own a 1M+ post site.
* WordPress Developer (Junkie / Guru / Maven / whatever)

A.M.A

#1
syyskuu 30, 2004, 01:27:19 IP
I like the idea .. sounds logical.
Really sorry .. real life is demanding my full attention .. will be back soon hopefully :)

Tristan Perry

#2
syyskuu 30, 2004, 01:38:16 IP
1) Seems alright, although can't this be resolved with permissions easy enough? Just make it so that no member group can delete accounts, or their own accounts.

2) http://www.simplemachines.org/community/index.php?topic=16510.0 It's basically what your looking for, isn't it?

[Unknown]

#3
syyskuu 30, 2004, 01:41:20 IP
We deleted the first account here.  I really don't see how stopping that improves security, because if you can delete accounts there are other, worse things you could do anyway.

As for deleting your account... I know and it always pisses me off.  If I'm done at a forum, I'm done.  I should be able to delete my account, because I created it, and it's mine with my information.  There may even be privacy laws supporting this assertion.

Yes, it's horrible when someone accidentally deletes their account.  That was too easy in YaBB SE.  In SMF, accidentally deleting your account takes being on drugs or something :P, at least imho.

Not being able to delete the "main admin" (to me that is such a joke) account, though, seems entirely useless to me.  If I were a hacker, and I was trying to delete all the admins accounts... this might stop me, yes.  Except for:
  - if there's any interface for it, I can probably unprotect them (or if I have FTP access.)
  - if there's no interface for it, the administrators probably didn't protect themselves.
  - even if the administrators are protected, all I have to do is change their email, password, and secret question.

Meaning, it wouldn't even slow any hacker down at all.  Thus it seems only to be pointless bloat to me... unless you're going to say that the "main admin" (again I have to chuckle at how rediculous that sounds) shouldn't be able to change his email address, or something.  If he does, I guess he'll have to reinstall SMF - otherwise, this "account deletion prevention" functionality would be useless.

-[Unknown]

Douglas

#4
syyskuu 30, 2004, 02:19:04 IP
Good points, let me explain how it works.  In vBulletin, this is enabled, however, you have to go in and manually edit the config file via Notepad, pico, vi, or whatever other means you have to edit flat files locally or remotely.  What this does is prevents any kind of changes happening via the boards to anyone's account that's listed in the protection schema.  Perhaps when this feature is implemented, it could take the current list (bundled in upgrade.php) of Administrators (primary member group) and alter the list that way.  Then any changes after that would require a direct modification to Settings.php via FTP or one of the other measures.  It really is a very important safeguard to have.  Prevents any changes being made to those accounts, such as password resets, email address changes or even name changes.  It actually IS another layer of security for admin type accounts.  I stand behind this one very strongly.

As far as the other option is concerned, technically, no one owns their account except for administration.  While I know where you are coming from, we've had people cause so much damage to the forums when they deleted their accounts.  Trying to re-associate posts and threads to their accounts is a nightmare.  Remember, I wrote a script for YaBB SE that automated this a bit more, however, with SMF, it's considerably more difficult, due to the fact that we're using ID numbers to manage this, instead of member names.

One of my customers had a member that deleted her account, she had over 300 posts associated with it.  She's ticked at other members, NOT the administration, and lashed out at them by doing this.  I have subsequently gone in and changed the permissions to prevent this from happening.  How about a compromise, Brackets?  Make it a configurable option in the Installation and Upgrade scripts?  That way, the admins performing the upgrade can make the decision based on what's best for their needs?
Doug Hazard
* Full Stack (Web) Developer for The Catholic Diocese of Richmond
(20+ Diocesan sites, 130+ Church sites & 24 School sites)
* HBCUAC.org Web Developer, the NAIA's only HBCU Athletic Conference
* Former Sports Photographer and Media Personality and Former CFB Historian
* Tech Admin for one 2.9M+ post and one 11.6M+ post sites. Used to own a 1M+ post site.
* WordPress Developer (Junkie / Guru / Maven / whatever)

Ben_S

#5
syyskuu 30, 2004, 02:22:13 IP
It's just as easy to re-associate posts to a user in SMF as it was in YaBB SE.
Liverpool FC Forum with 14 million+ posts.

[Unknown]

#6
syyskuu 30, 2004, 03:04:50 IP
That would be such a pain.  I've been administrator of many forums, including this one, and had to change my email address.  If I couldn't I would just get annoyed.... and I can see someone saying, "ahh... don't install SMF, you can't change your profile there if you're an admin!  No, install phpBB... it's not as good but it's easier to work with."  If it's not easy to do, most won't do it anyway, and it will be a waste.  Seems very much like a mod to me.

No, I own my account here.  I feel very strongly about this.  If you tell me that you own my account when I sign up on your forum... I won't sign up.  No joke.  I wouldn't sign up to a forum where I'm not in control of myself.... that's just common courtesy imho.

Umm... YaBB SE used ID_MEMBER too.  It's hardly any different at that point, just that ID_MEMBER is used more often.

It's already configurable!

-[Unknown]

Elysia

#7
heinäkuu 17, 2007, 07:27:27 IP
Lainaus käyttäjältä: Ben_S - syyskuu 30, 2004, 02:22:13 IP
It's just as easy to re-associate posts to a user in SMF as it was in YaBB SE.

Can someone tell me how please? As the admin has just accidentally deleted an account instead of removing them from the global mods group, and the member is a little miffed, I now have the task of sorting it out for them.  :)

Elysia

#8
heinäkuu 17, 2007, 08:15:36 IP
Scratch the last request, I found the query to use elsewhere on the board. Now fingers crossed it will work for me. :)
Tulosta
Siirry ylös Sivuja1
Käyttäjän toimet
Advertisement: