[geeklog-devtalk] geeklog-devel digest, Vol 1 #265 - 4 msgs
geeklog-devel-request at lists.geeklog.net
geeklog-devel-request at lists.geeklog.net
Mon Feb 2 13:00:07 EST 2004
Send geeklog-devel mailing list submissions to
geeklog-devel at lists.geeklog.net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.geeklog.net/listinfo/geeklog-devel
or, via email, send a message with subject or body 'help' to
geeklog-devel-request at lists.geeklog.net
You can reach the person managing the list at
geeklog-devel-admin at lists.geeklog.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of geeklog-devel digest..."
Today's Topics:
1. Re: Group Admin revisited (Vincent Furia)
2. SR4 Bug -- err so it would appear (Blaine Lang)
3. Re: SR4 Bug -- err so it would appear (Dirk Haun)
4. Re: Server changes coming... (Tony Bibbs)
--__--__--
Message: 1
Date: Sun, 01 Feb 2004 13:25:32 -0500
From: Vincent Furia <vmf at abtech.org>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] Group Admin revisited
Reply-To: geeklog-devel at lists.geeklog.net
Here is an off the wall idea. It will require quite a bit of rework,
but it may make group administration a bit more intuitive...
Why not add the idea of "ownership" to groups. So that a group has an
owner (user id), a group owner, membership access and anonymous access
(like what is used for story access). Root, the owner or a member of
the "group owner" group can all add or remove users from that group.
The membership access and anonymous access can probably be ignored,
unless someone can think of a good usage for them. (Perhaps only Root
can adjust these "owner" settings, and a check in membership access or
anonymous access can say whether membership group or the anonymous group
are allowed to be assigned to this group?)
Just an idea, seems this way would be more intuitive and easier to
control the power of any group admins.
-Vinny
Dirk Haun wrote:
>Just checking if I'm on the right track here ...
>
>So say we're restricting Group Admin such that he can only assign users
>to groups of which he himself is a member.
>
>But he can still create new groups. Obviously, he needs to be assigned to
>these new groups automatically or he won't be able to assign anyone else
>to that group. Correct?
>
>Also, the permissions that can be used for a new group need to be
>restricted such that they only list permissions that the Group Admin
>already has (through his membership in other groups). Correct?
>
>As I said - just checking. I'm not going to implement this just yet (and
>if anyone else wants to do it, feel free to do so ...).
>
>bye, Dirk
>
>
>
>
--__--__--
Message: 2
From: "Blaine Lang" <geeklog at langfamily.ca>
To: <geeklog-devel at lists.geeklog.net>
Date: Sun, 1 Feb 2004 13:38:30 -0500
Subject: [geeklog-devel] SR4 Bug -- err so it would appear
Reply-To: geeklog-devel at lists.geeklog.net
This is a multi-part message in MIME format.
------=_NextPart_000_0037_01C3E8C8.ADACEBC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The recent posts about Plugin (forum) extra settings not being saved or =
over-writting other users.
I was looking into it this today and noticed that the UID field in the =
Edit form -> Account Information is being set to a encrypted 16 char =
field. To be specific $reqid.
Line 156 of usersettings.php
$preferences->set_var ('uid_value', $reqid);
I believe this is a typo and not some secuity change.
This triggers all sorts of problems that are looking for the UID in the =
POST_VARS from this form.
Blaine
------=_NextPart_000_0037_01C3E8C8.ADACEBC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>The recent posts about Plugin (forum) =
extra=20
settings not being saved or over-writting other users.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I was looking into it this today and =
noticed that=20
the UID field in the Edit form -> Account Information is being set to =
a=20
encrypted 16 char field. To be specific $reqid.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Line 156 of =
usersettings.php</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> =
$preferences->set_var=20
('uid_value', $reqid);</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I believe this is a typo and not some =
secuity=20
change.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>This triggers all sorts of problems =
that are=20
looking for the UID in the POST_VARS from this form.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Blaine</FONT></DIV></BODY></HTML>
------=_NextPart_000_0037_01C3E8C8.ADACEBC0--
--__--__--
Message: 3
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] SR4 Bug -- err so it would appear
Date: Mon, 2 Feb 2004 00:14:17 +0100
Organization: Terra Software Systems
Reply-To: geeklog-devel at lists.geeklog.net
Blaine,
>Line 156 of usersettings.php
> $preferences->set_var ('uid_value', $reqid);
>
>I believe this is a typo and not some secuity change.
No, this was a deliberate change. To quote myself (from geeklog-security):
>I've re-used the hidden "uid" field in the form, so there's no need to
>update the templates. The field wasn't used anyway as the value can't be
>trusted.
You could simply use $_USER['uid'], which has the added advantage that it
can't be manipulated.
bye, Dirk
--
http://www.haun-online.de/
http://www.macosx-faq.de/
--__--__--
Message: 4
Date: Mon, 02 Feb 2004 09:05:58 -0600
From: Tony Bibbs <tony at tonybibbs.com>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] Server changes coming...
Reply-To: geeklog-devel at lists.geeklog.net
Don't worry about it. I am pretty sure the server geeklog.net runs on
isn't RAID5'd and not having RAID on the box with our CVS bothers me a
bit. I have the temporary server setup...it is a dual pentium pro 200
with 256MB of ram and two 9GB SCSI drives (no raid of any kind). All
the software is installed on it and I have already begun moving stuff
over (starting with my personal stuff). I will save the move of
project.geeklog.net and CVS until last but I'm hoping to have moved
everything by the end of this week. I won't move CVS until I have a
version of it working on the new server via ssh and anonymous pserver
(sigh).
After things are moved to the temporary server I'll then begin
rebuilding the current server to get it ready for the colo. That won't
happen for a couple of weeks and we'll have to repeat this process again.
It's a pain, I know but I'm sure we can do all this with little to no
downtime.
--Tony
Dirk Haun wrote:
> Tony,
>
>
>>In doing this I think
>>we should at least consider if we don't want to move CVS and the project
>>site to Pair. I only mention this because we have a dedicated server
>>for www.geeklog.net and it seems to make sense to have it all on one
>>server (until the MySQL instance dies). Any thoughts?
>
>
> Err, can we even do this? For one, we don't have root access on that
> server and the project site would need postgres installed to run. Similar
> issues with CVS.
>
>
>
>>Also, if we decide to leave things as they are I will have to move CVS
>>and the project site to a temporary server
>
>
> Any idea for how long?
>
> bye, Dirk
>
>
--__--__--
_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devel
End of geeklog-devel Digest
More information about the geeklog-devtalk
mailing list