Changing User Role Problem

Fyorl

I actually fixed this off-hand while writing a separate extension. It's neatly packaged and doesn't affect the core code as it uses a delegate.

It will boot people back to the index if they attempt to change the role of someone of equal priority or otherwise it will cut off the roles from the drop-down menu which are of a higher or equal priority to the user's rank.

It can be circumvented by fabricating your own form data to send but I don't intend to close that security hole unless someone really, really wants me to. Anyway, here's the code and I'll package it as an extension if there's enough interest:

function WoWGF_FixRoleList($form) { $Context = $form -> Context; $Other = $form -> User; if(!$form -> IsPostBack) return; $sql = " SELECT `RoleID` FROM `{$Context->Configuration['DATABASE_TABLE_PREFIX']}User` WHERE `UserID`='{$Context->Session->UserID}' "; $data = $Context -> Database -> Execute($sql, '', '', ''); $rid = mysql_result($data, 0, 'RoleID'); if($rid == 4) return; // Don't cripple the administrator's privileges $sql = " SELECT * FROM `{$Context->Configuration['DATABASE_TABLE_PREFIX']}Role` "; $data = $Context -> Database -> Execute($sql, '', '', ''); while($row = mysql_fetch_assoc($data)) $priorities[$row['RoleID']] = $row['Priority']; if($priorities[$rid] <= $priorities[$Other -> RoleID]) { Redirect(GetUrl($Context -> Configuration, '.')); exit; } foreach($priorities as $roleID => $priority) { if($priority >= $priorities[$rid]) $form -> RoleSelect -> RemoveOption($roleID); } } $Context -> AddToDelegate('AccountRoleForm', 'Constructor', 'WoWGF_FixRoleList');

I don't really check this community much as I'm pretty new to Vanilla but Ben mentioned he'd created this topic and there was some discussion. Since I had this lying around I thought I might as well throw it in here. Anyway, point is, if you need to contact me your best bet is email.

DG55

Great Gerry! Good work! This is pretty much perfect now. One thing I noticed though, and im not sure if this is related to this hack, but none of my members with role-changing access can change their own role? When you select the new role (lower than your current one), put in a note, and hit the button - it just takes you back to the same role-changing page without any errors or notices. Weird huh? Any way you can get your code into the next upgrade?

Fyorl

Actually that's probably the intended result if his logic works the same as mine. If you try to change your own role then it will detect that you have a role priority that is equal to the role of the user you're trying to change (which is you!). Since you shouldn't be able to change the role of people who have the same role as you, it won't let you. Also, if you're worried about upgrading Vanilla then I'll stick my code in an extension (just a quick copy n' paste) and you can just install it. It doesn't hack the source code at all so Vanilla will update fine.

DG55

Hmm, then dont we need something which detects whether your editing your own too? Why doesnt it show the error though, its odd. Fyorl, I think it would be great if you could package this as an extension, even more so if you could patch the security hole. Also, is it not possible to just show an error when you try to change someone who is higher or equal to you? Booting you back to the index isn't really that great, moderators will just think the forum is broken. I've seen quite a few posts about this on this forum, so I suppose there's quite a bit of demand for it unless we get this feature in the next update (which I sort of doubt).

Ben

Why would anyone want to edit their own role? You'd only be able to drop yourself down to a lower one, you wouldn't be able to promote yourself, so what would be the point?

Fyorl

Yeah sure I can make this an extension and I'll look around for a delegate in the role-changing code so I can patch the security hole via extension too. Also, I'll make sure it gives out error messages instead of kicking people back to the index. Edit: Yeah I agree with Ben. I can allow people to edit their own role but they'd only be able to make themselves a lower role. Just to clarify, Adminstrators can do anything, they are ignored when the priority-checking logic is applied. That's assuming the administrator RoleID is always 4. From what Ben's told me, it is.

Minisweeper

Just for the sake of argument I wouldnt necessarily assume the admin roleID is *always* 4 (particularly since it's reasonably easy to confirm either way) I'm pretty sure not letting users change their own role is a feature of the core anyway to stop an admin accidentally removing his privelidges.

Fyorl

I'm not sure how easy it is to confirm really. You can't check for the role title of 'administrator' because people can give custom role titles. I'll have a look at some of the permissions and see if some are admin-only. Otherwise there is no real way to check which role is the administrator and so that functionality will have to be removed or configured with the extension. Anyone who has the 'change roles' permission can change anyone's role to anything (including their own). There is no checking for this in the core functionality which is why I wrote this.

gerry22

@Fyrol - these are the permissions checked at the top of settings.php, so i think it's safe to say that an administrator has all these permissions, but you're right i don't think there is one specific permission to administrator

// Ensure the user is allowed to view this page (they must have at least one of the following permissions) $RequiredPermissions = array('PERMISSION_CHECK_FOR_UPDATES', 'PERMISSION_APPROVE_APPLICANTS', 'PERMISSION_MANAGE_REGISTRATION', 'PERMISSION_ADD_ROLES', 'PERMISSION_EDIT_ROLES', 'PERMISSION_REMOVE_ROLES', 'PERMISSION_ADD_CATEGORIES', 'PERMISSION_EDIT_CATEGORIES', 'PERMISSION_REMOVE_CATEGORIES', 'PERMISSION_SORT_CATEGORIES', 'PERMISSION_CHANGE_APPLICATION_SETTINGS', 'PERMISSION_MANAGE_EXTENSIONS', 'PERMISSION_MANAGE_LANGUAGE', 'PERMISSION_MANAGE_STYLES', 'PERMISSION_MANAGE_THEMES');

DG55

Great Fyrol, looking forward to this extension. I agree about changing your own role, I'm not bothered about this functionality really - but then why is the link to change your own role there in the first place? Although on the other hand, if you think about it, if you had two administrators - there would be absolutely no way to demote one of them. Since 1- you cant change your own role, and 2- you cant demote someone who is on the same (highest) level as you! The only way you can demote other administrators is if you remove the hack/extension and then do it. Which is sort of backwards really, so I suppose this is where the demoting yourself feature comes in handy (in case an administrator wanted to step down as admin but wants to retain their membership). Just a thought.

Fyorl

Actually, if you read the bottom of one of my posts (or the comments in the code) Administrators can do anything. They are ignored by the priority-changing logic. You just need to make sure your adminstrator role has a RoleID of 4 (which it is by default apparently).

DG55

Oh ok, missed that. Great. And I suppose since the role id is 4 by default, this will be fine. Although isn't there a way to select the 'highest priority' one instead of the one which is roleId 4? This would stop any hideous bugs occurring when the roleId is not 4 for some reason. This would be ideal, but not essential. Cheers.

Fyorl

Good point actually. That would probably be a fairly good way of detecting administrator status. I'll go update it now.

Fyorl

OK, done. No complicated install instructions, get it here.

DG55

Great! Although is it right that you cannot change someones role to the same level as yours? So moderators cant make other people moderators? Also, it still boots you back to the homepage when you try to edit the role of someone on your same level. Is it easy to have an error instead? Good work though!