Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Security issue: separation of privileges

edited August 2005 in Vanilla 1.0 Help
I've been testing Vanilla for a few weeks now, and i found something which could be a security issue: in the Role Management, where you assign privileges to certain roles, I see two options: "Administrative privileges for users AND roles" "Administrative privileges for discussions AND categories" I think that the privileges for users, roles, discussions, and categories should be separated. A real-life example: I create a role called "Moderator". I want this role to be able to modify discussions (and maybe users), but I do not want to give them access to the roles and categories configuration, for security reasons. What do you think about this?


  • Yeah, i thought the lack of seperatable privelidges was a little annoying. I guess this has to come more if RWX permissions are implemented. I assume its gonna have to be a v1 thing unless mark wants to/has upgraded the permissions scope across the board (pun intended)
  • lechlech Chicagoland
    I'll weight in on this and say that, yes, this could have a potential for abuse if say, you give a person moderator access to categories and discussions. It gives that user the power to say, lock higher admins out of certain discussions by hiding categories. Nothing overly dangerous, just annoying if your moderator is a complete asshat. But I'll agree that in the future these should be split up possibly for a wider range of control.
  • I hope we'll see this feature in 1.0 ;)
  • MarkMark Vanilla Staff
    I can definitely separate this for the next rev. I've already torn apart the code quite a bit, so I don't see the harm in making more big changes :) Want to add it to the enhancement list?
  • lechlech Chicagoland
    got it
  • does this include rwx?
  • MarkMark Vanilla Staff
    the read/write permissions are already on the list, I believe.
This discussion has been closed.