Bravo List
Register
Go Back   > Bravo List > Source Code > Trackers > Project U-232
Reply
  #1  
Old 07-11-16, 21:51
puppy's Avatar
puppy puppy is offline
Member
 
Join Date: Feb 2016
P2P
Posts: 13
Default Staff Tools Advice
Hey guys,

I was talking to my staff and we were running some minor security checks with staff tools, I am no professional so I am here seeking some advice about changing the access points for the tools.

say that the tool adduser is dedicated to Admin via the db but when I am a moderator and I type in the address bar http://domain.org/staffpanel.php?tool=adduser or whatever it maybe I can access it, is there any way to code it so I can dedicate that tool only to a certain class to stop that being reached by lower classes like Moderators ?

I am using u232 v4.
I am running Ubuntu14.04
Reply With Quote
  #2  
Old 07-11-16, 22:46
DND's Avatar
DND DND is offline
Support
 
Join Date: Dec 2008
Posts: 1,020
Default
if ($CURUSER['class'] < UC_ADMINISTRATOR)
stderr('Error', 'Access Denied');
inside the file at the top
but knowing V4 you should already have some class check there
just change in the files to work for your needs
__________________
Need HELP!? I can install:

  1. Server/VPS (Debian,CentOS,Ubuntu,Fedora, FreeBSD) Optimization and ... + Modules
  2. Webserver Windows/Linux (Apache/Lighttpd/Nginx/Mysql/PhpMyAdmin/SSL) Optimization and ... + Modules
  3. Seedbox Windows/Linux (uTorrent,rTorrent,libTorrent,ruTorrent) + Modules
  4. TBDev Support
  5. Gazelle Support Install
  6. TSSE Install Support
Reply With Quote
  #3  
Old 07-11-16, 23:35
son's Avatar
son son is offline
Support
 
Join Date: Dec 2015
Posts: 36
Default
The easy way would be on staffpanel.php, the right hand side there's an edit icon(pencil), click on it and you can change the available for in the option / dropdown box for whatever tool you want to change
Reply With Quote
  #4  
Old 08-11-16, 03:43
puppy's Avatar
puppy puppy is offline
Member
 
Join Date: Feb 2016
P2P
Posts: 13
Default
When I move that tool to Administrator class via db or the panel itself I then demote myself to Moderator that class check still allows me to use a tool that is designated for Administrator via using the address bar.

I appreciate the advice / help provided guys, thank you
Reply With Quote
  #5  
Old 08-11-16, 11:59
son's Avatar
son son is offline
Support
 
Join Date: Dec 2015
Posts: 36
Default
Quote:
Originally Posted by puppy View Post
When I move that tool to Administrator class via db or the panel itself I then demote myself to Moderator that class check still allows me to use a tool that is designated for Administrator via using the address bar.

I appreciate the advice / help provided guys, thank you
Does this happen when you do other things as staff? If so then check cache/staff_setting.php and cache/staff_sttings2.php to see if they have correct info.
Reply With Quote
  #6  
Old 08-11-16, 17:56
whocares's Avatar
whocares whocares is offline
Member
 
Join Date: Nov 2009
United States
Posts: 6
Default
To fix this in include/class/class_check.php replace the current function get_access with

PHP Code:
function get_access($script) {
            global 
$mc1;
            
$ending parse_url($scriptPHP_URL_QUERY);
            
$count substr_count($ending"&");
            
$i 0;
            while (
$i <= $count) {
       if (
strpos($ending"&")){
            
$ending substr$ending0strrpos$ending"&"));
            }
            
$i++;
       }
            if ((
$class $mc1 ->get_value('av_class_'.$ending)) == false) {
            
$classid sql_query("SELECT av_class FROM staffpanel WHERE file_name LIKE '%$ending%'") or sqlerr(__file__,__line__);
            
$classid mysqli_fetch_assoc($classid);
            
$class = (int)$classid['av_class'];
            
$mc1->cache_value('av_class_' $ending$class900); //== test values 15 minutes to 0 once delete key in place //==
       
}
            return 
$class;
       } 
Reply With Quote
  #7  
Old 09-11-16, 09:57
puppy's Avatar
puppy puppy is offline
Member
 
Join Date: Feb 2016
P2P
Posts: 13
Default
Quote:
Does this happen when you do other things as staff? If so then check cache/staff_setting.php and cache/staff_sttings2.php to see if they have correct info.
They have all the correct information mate.

Quote:
To fix this in include/class/class_check.php replace the current function get_access with

PHP Code:
function get_access($script) {
            global 
$mc1;
            
$ending parse_url($scriptPHP_URL_QUERY);
            
$count substr_count($ending"&");
            
$i 0;
            while (
$i <= $count) {
       if (
strpos($ending"&")){
            
$ending substr$ending0strrpos$ending"&"));
            }
            
$i++;
       }
            if ((
$class $mc1 ->get_value('av_class_'.$ending)) == false) {
            
$classid sql_query("SELECT av_class FROM staffpanel WHERE file_name LIKE '%$ending%'") or sqlerr(__file__,__line__);
            
$classid mysqli_fetch_assoc($classid);
            
$class = (int)$classid['av_class'];
            
$mc1->cache_value('av_class_' $ending$class900); //== test values 15 minutes to 0 once delete key in place //==
       
}
            return 
$class;
       } 
Thanks for the helping hand
Reply With Quote
Reply

Tags
advice , staff , tools

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT +2. The time now is 17:36. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2018, vBulletin Solutions Inc.