CodeJunky2008
  • Posts: 27
  • Joined: 24/04/2008
Hi

Not sure if this is an oversight or maybe I am just paranoid but the feature granted to moderators to invite users into closed forums is great. The problem I have discovered is that the mod_forumuser.ascx control pulls in the access list from the generic YAF.Classes.Data.DB.accessmask_list() method. This returns all access masks in the database including masks that are for administrators. A moderator could add users into access masks that they should not have rights to view themselves let alone anyone else.

I have implemented some code in the BindData() of the mod_forumuser.cs to trim the accesslist after it is returned using my own naming convention. I know this is not ideal for a generic solution and look forward to the YAF developers comments.

In case anyone is interested here is my code

private void BindData() 
		{
			
            DataTable dt = YAF.Classes.Data.DB.accessmask_list(PageContext.PageBoardID, null);
            DataTable filteredDataTable = new DataTable();

             filteredDataTable = dt.Clone();

            foreach (DataRow row in dt.Rows)
            {

                //Naming convention - all private forums access masks will be "Registered + forumname"
                if (row["Name"].ToString() == "Registered " + PageContext.PageForumName)
                {

                    // Import the Row into dt2 from dt1
                    filteredDataTable.ImportRow(row);

                }

            }
          

            AccessMaskID.DataSource = filteredDataTable;
			AccessMaskID.DataValueField = "AccessMaskID";
			AccessMaskID.DataTextField = "Name";
			DataBind();
		}


I hope this is of use, it's a great product and hats of for all your work.
Sponsor
Ederon
  • Posts: 902
  • Joined: 07/01/2007
Yeah, this is an issue. I've dealt with it different way in my quirk 1.9.0 version. Rather than checking names, I'm checking access mask bits. So moderators (non administrators) can assign only non-moderator access masks of same or lower power than their own access mask is (this being checked fer forum, not globally).

Before pushing this to the current version I believe there needs to be more consideration beforehand. For example, ability to invite people (i.e. grant them access permissions) might be governed by access mask too. In general, I think "moderator" access mask flag should be broken down into few atomic ones. One is inviting, another might be moving/deleting/editing/locking etc. This is up for a discussion.
When I post FP:Ederon in a topic, I'm leaving my footprint there so I can track it once I get into coding/supporting.
UserPostedImage 
CodeJunky2008
  • Posts: 27
  • Joined: 24/04/2008
Checking access masks using bits is a much more elegant solution but this assumes that moderators are can hold reponsibility site wide e.g. they can add users into other forums. My organisation is paranoid about security and wants the most granular modal possible. My approach limits the user to only be able to grant access masks for the current forum they are moderating. I agree that this is something that needs careful thought and look forward to the discussion.
Users browsing this topic
    Forum Jump  
    • You cannot post new topics in this forum.
    • You cannot reply to topics in this forum.
    • You cannot delete your posts in this forum.
    • You cannot edit your posts in this forum.
    • You cannot create polls in this forum.
    • You cannot vote in polls in this forum.

    About Us

    The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

    Powered by Resharper Donate with PayPal button

    Project Twitter Updates

    Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved