Moderator - Invite user security issue

CodeJunky2008
66.2% (Friendly)
YAF Forumling Topic Starter

14 years ago

Hi

Not sure if this is an oversight or maybe I am just paranoid but the feature granted to moderators to invite users into closed forums is great. The problem I have discovered is that the mod_forumuser.ascx control pulls in the access list from the generic YAF.Classes.Data.DB.accessmask_list() method. This returns all access masks in the database including masks that are for administrators. A moderator could add users into access masks that they should not have rights to view themselves let alone anyone else.

I have implemented some code in the BindData() of the mod_forumuser.cs to trim the accesslist after it is returned using my own naming convention. I know this is not ideal for a generic solution and look forward to the YAF developers comments.

In case anyone is interested here is my code

private void BindData() 
		{
			
            DataTable dt = YAF.Classes.Data.DB.accessmask_list(PageContext.PageBoardID, null);
            DataTable filteredDataTable = new DataTable();

             filteredDataTable = dt.Clone();

            foreach (DataRow row in dt.Rows)
            {

                //Naming convention - all private forums access masks will be "Registered + forumname"
                if (row["Name"].ToString() == "Registered " + PageContext.PageForumName)
                {

                    // Import the Row into dt2 from dt1
                    filteredDataTable.ImportRow(row);

                }

            }
          

            AccessMaskID.DataSource = filteredDataTable;
			AccessMaskID.DataValueField = "AccessMaskID";
			AccessMaskID.DataTextField = "Name";
			DataBind();
		}

I hope this is of use, it's a great product and hats of for all your work.

Sponsor

Wanna join the discussion?! Login to your YAF.NET Support Forum forum account or Register a new forum account

Ederon
100% (Exalted)
YAF Developer

14 years ago

Yeah, this is an issue. I've dealt with it different way in my quirk 1.9.0 version. Rather than checking names, I'm checking access mask bits. So moderators (non administrators) can assign only non-moderator access masks of same or lower power than their own access mask is (this being checked fer forum, not globally).

Before pushing this to the current version I believe there needs to be more consideration beforehand. For example, ability to invite people (i.e. grant them access permissions) might be governed by access mask too. In general, I think "moderator" access mask flag should be broken down into few atomic ones. One is inviting, another might be moving/deleting/editing/locking etc. This is up for a discussion.

Edited by user 14 years ago | Reason: Not specified

When I post FP:Ederon in a topic, I'm leaving my footprint there so I can track it once I get into coding/supporting.

CodeJunky2008
66.2% (Friendly)
YAF Forumling Topic Starter

14 years ago

Checking access masks using bits is a much more elegant solution but this assumes that moderators are can hold reponsibility site wide e.g. they can add users into other forums. My organisation is paranoid about security and wants the most granular modal possible. My approach limits the user to only be able to grant access masks for the current forum they are moderating. I agree that this is something that needs careful thought and look forward to the discussion.

Important Information:

The YAF.NET Support Forum uses cookies. By continuing to browse this site, you are agreeing to our use of cookies. More Details Close