SimplePortal

Development => Bugs => Fixed or Bogus Bugs => Topic started by: ccbtimewiz on September 16, 2011, 10:52:25 PM

Title: [Security] Removing specific PHP Block permissions
Post by: ccbtimewiz on September 16, 2011, 10:52:25 PM

There should be a way to disable people that are given the right to administrate SP from creating PHP blocks, or giving the PHP block better validation from being abused.

Title: Re: [Security] Removing specific PHP Block permissions
Post by: [SiNaN] on September 17, 2011, 06:13:32 AM

Only members with admin_forum (full admin) permission can add/edit/delete PHP blocks.

Title: Re: [Security] Removing specific PHP Block permissions
Post by: ccbtimewiz on September 17, 2011, 09:54:29 PM

'admin_forum' is far from full admin, it's more of a "tech only" admin
 
-> change forum, database and theme settings
->  manage packages
-> use the forum and database maintenance tools
->  view the error and mod logs

Title: Re: [Security] Removing specific PHP Block permissions
Post by: Oldiesmann on September 18, 2011, 06:00:53 PM

It doesn't. It only returns true if that user has the "Administrate forum and database" permission, which should not be given out lightly.

Title: Re: [Security] Removing specific PHP Block permissions
Post by: ccbtimewiz on September 18, 2011, 06:01:44 PM

True, updated.

Title: Re: [Security] Removing specific PHP Block permissions
Post by: [SiNaN] on September 19, 2011, 02:22:37 AM

It'll let you do pretty much anything on the forum and there is even a notice to use that permission carefully. You wouldn't give that permission to a member that you don't trust.

Title: Re: [Security] Removing specific PHP Block permissions
Post by: ccbtimewiz on September 19, 2011, 02:36:24 AM

I suppose you're right