Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   Project U-232 (http://www.bvlist.com/forumdisplay.php?f=80)
-   -   Staff Tools Advice (http://www.bvlist.com/showthread.php?t=11015)

puppy 7th November 2016 21:51

Staff Tools Advice
 
Hey guys,

I was talking to my staff and we were running some minor security checks with staff tools, I am no professional so I am here seeking some advice about changing the access points for the tools.

say that the tool adduser is dedicated to Admin via the db but when I am a moderator and I type in the address bar http://domain.org/staffpanel.php?tool=adduser or whatever it maybe I can access it, is there any way to code it so I can dedicate that tool only to a certain class to stop that being reached by lower classes like Moderators ?

I am using u232 v4.
I am running Ubuntu14.04

DND 7th November 2016 22:46

if ($CURUSER['class'] < UC_ADMINISTRATOR)
stderr('Error', 'Access Denied');
inside the file at the top
but knowing V4 you should already have some class check there
just change in the files to work for your needs

son 7th November 2016 23:35

The easy way would be on staffpanel.php, the right hand side there's an edit icon(pencil), click on it and you can change the available for in the option / dropdown box for whatever tool you want to change

puppy 8th November 2016 03:43

When I move that tool to Administrator class via db or the panel itself I then demote myself to Moderator that class check still allows me to use a tool that is designated for Administrator via using the address bar.

I appreciate the advice / help provided guys, thank you

son 8th November 2016 11:59

Quote:

Originally Posted by puppy (Post 49609)
When I move that tool to Administrator class via db or the panel itself I then demote myself to Moderator that class check still allows me to use a tool that is designated for Administrator via using the address bar.

I appreciate the advice / help provided guys, thank you

Does this happen when you do other things as staff? If so then check cache/staff_setting.php and cache/staff_sttings2.php to see if they have correct info.

whocares 8th November 2016 17:56

To fix this in include/class/class_check.php replace the current function get_access with

PHP Code:

function get_access($script) {
            global 
$mc1;
            
$ending parse_url($scriptPHP_URL_QUERY);
            
$count substr_count($ending"&");
            
$i 0;
            while (
$i <= $count) {
       if (
strpos($ending"&")){
            
$ending substr$ending0strrpos$ending"&"));
            }
            
$i++;
       }
            if ((
$class $mc1 ->get_value('av_class_'.$ending)) == false) {
            
$classid sql_query("SELECT av_class FROM staffpanel WHERE file_name LIKE '%$ending%'") or sqlerr(__file__,__line__);
            
$classid mysqli_fetch_assoc($classid);
            
$class = (int)$classid['av_class'];
            
$mc1->cache_value('av_class_' $ending$class900); //== test values 15 minutes to 0 once delete key in place //==
       
}
            return 
$class;
       } 


puppy 9th November 2016 09:57

Quote:

Does this happen when you do other things as staff? If so then check cache/staff_setting.php and cache/staff_sttings2.php to see if they have correct info.
They have all the correct information mate.

Quote:

To fix this in include/class/class_check.php replace the current function get_access with

PHP Code:

function get_access($script) {
            global 
$mc1;
            
$ending parse_url($scriptPHP_URL_QUERY);
            
$count substr_count($ending"&");
            
$i 0;
            while (
$i <= $count) {
       if (
strpos($ending"&")){
            
$ending substr$ending0strrpos$ending"&"));
            }
            
$i++;
       }
            if ((
$class $mc1 ->get_value('av_class_'.$ending)) == false) {
            
$classid sql_query("SELECT av_class FROM staffpanel WHERE file_name LIKE '%$ending%'") or sqlerr(__file__,__line__);
            
$classid mysqli_fetch_assoc($classid);
            
$class = (int)$classid['av_class'];
            
$mc1->cache_value('av_class_' $ending$class900); //== test values 15 minutes to 0 once delete key in place //==
       
}
            return 
$class;
       } 


Thanks for the helping hand :ok:

BamBam0077 9th April 2020 14:12

Thank Goodness


All times are GMT +2. The time now is 17:24.

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.