Are you are talking about this line (~300):
if (strpos(" ,$BOLTadmin,", ",$BOLTid,") && $BOLTadmin != '') return
true;
A quick check suggests this would interfere with how auth works for
specific functions/commands. Which I never use, and I'm not sure
anyone else does. But it is a good feature, I don't want to drop. In
those cases you can restrict certain functions/commands to certain
pages/hierarchies. Not tied to user id, but to the function/command
name (check). You would want these to always return true I think for
super admins. It would be worth double checking just to make sure
those features still work anyway. Or perhaps even revisit how they
should work.
But we could conceivably change those functions to users, not pages.
(Don't like that idea). Or rework the BOLTauth function some different
way, perhaps. Such as using BOLTid when type = function or command,
and $find otherwise.
Can you explain what you are doing exactly? You are checking for
another members permissions when you are logged in as superadmin? And
want to get the permissions of the other user, not yourself? I'd
prefer to leave it as is if possible, but happy to change if necessary
for good msql support. And any support we give to you will help other
similar kinds of plugins in the future. I'm just not sure I'm catching
what you are doing.
Cheers,
Dan
P.S. Just a thought, but shouldn't you have some kind of confirmation
before executing an msql command with the potential to delete your
entire site? And have you gotten stamp functionality to work, or just
using the default stamps system. Just curious as the though of system
wide incineration comes to mind. :)
On Wed, Sep 30, 2009 at 6:22 AM, DrunkenMonk <[email protected]> wrote:
>
> Is there any good reason why "BOLTid" and not "find" is being checked
> for BOLTadmin priveleges?
>
> I'm trying to use BOLTauth for my mysql plugin, where the priveleges
> are not BOLTuser based, but mysql user based. I'm trying to get
> another plugin which uses mysql to abort if the mysql user supplied is
> invalid.
>
> However, since I'm a superuser, I'm apparently allowed to use this
> mysql user from any page.
>
> So, assume I have a guest area, say, docs. A user then writes "[(mysql
> root "DROP * FROM *")]" and then tricks me into viewing this page. I
> bypass all my own checks and destroy all my mysql information.
>
> Solution:
> BOLTauth should always check permissions for that which is sent.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en
-~----------~----~----~----~------~----~------~--~---
