HUGE ACCESS CONTROL PROBLEM @brett

I am having a huge problem with access control, I know a little bit about code but still need a bit of detailed help. I am having the problem with my admins. My admins are changing user's profiles as a joke and even locking them out of their accounts! But I can't fire them cause they know and opperate different sections of the site. So I want to edit the core elgg code so that all guids but mine (2) gets locked out of admin password reset on user, admin edit user profile, admin remove admin, and admin delete account. This is so I can only run: admin password reset on user, admin edit user profile, admin remove admin, and admin delete account. Where and what in the elgg code would I edit, thank you for all of your help as this problem must be resolved in a matter of days! I am sorry if this is in the wrong group and I would appreciate your help, esspecially you, @brett.

  • there is a root folder called admin with various permissions and it would be in this folder and in those files

  • This means there is a huge need to have a roles/permissions plugin. Joomla and Moodle handle this very nicely.

    There is a roles plugin already, but its not fully finished, anyone working on it ? Probably its one of those features soon to be added to the roadmap.

    Meanwhile, well, yeah a little hacking code.

    Regards,
    Uddhava dasa

  • @Zak

    I have a root folder called admin with the various files in them but i also have a file located at /engine/lib/admin.php that declares the admin_gatekeeper action as well as other code.

    @Uddhava dasa

    I aggree with you on that point! And some hacking will be involved :)

    @brett

    I got that pfc hacks done with the help of another coder and we got it all working, thanks man! :)

  • \mod\profile\views\default\profile\menu\adminlinks.php

    <?php
        /**
         * Profile admin context links
         *
         * @package ElggProfile
         * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
         * @author Curverider Ltd
         * @copyright Curverider Ltd 2008-2009
         * @link http://elgg.com/
         *
         * @uses $vars['entity'] The user entity
         */

                if (isadminloggedin()){
                    if ($_SESSION['id']!=$vars['entity']->guid){
                       
                        $ts = time();
                        $token = generate_action_token($ts);
                       
                    if ($_SESSION['user']->guid == 2){?>
                    <a href="<?php echo $vars['url']; ?>pg/settings/user/<?php echo $vars['entity']->username; ?>/"><?php echo elgg_echo('profile:editdetails'); ?></a>
                    <?php }
                   
                    if (!$vars['entity']->isBanned()) {
                        echo elgg_view('output/confirmlink', array('text' => elgg_echo("ban"), 'href' => "{$vars['url']}action/admin/user/ban?guid={$vars['entity']->guid}&__elgg_token=$token&__elgg_ts=$ts"));
                    } else {
                        echo elgg_view('output/confirmlink', array('text' => elgg_echo("unban"), 'href' => "{$vars['url']}action/admin/user/unban?guid={$vars['entity']->guid}&__elgg_token=$token&__elgg_ts=$ts"));
                    }
                    if ($_SESSION['user']->guid == 2){
                    echo elgg_view('output/confirmlink', array('text' => elgg_echo("delete"), 'href' => "{$vars['url']}action/admin/user/delete?guid={$vars['entity']->guid}&__elgg_token=$token&__elgg_ts=$ts"));
                    }
                   
                    echo elgg_view('output/confirmlink', array('text' => elgg_echo("resetpassword"), 'href' => "{$vars['url']}action/admin/user/resetpassword?guid={$vars['entity']->guid}&__elgg_token=$token&__elgg_ts=$ts"));
                   
                    if ($_SESSION['user']->guid == 2){
                    if (!$vars['entity']->admin) {
                        echo elgg_view('output/confirmlink', array('text' => elgg_echo("makeadmin"), 'href' => "{$vars['url']}action/admin/user/makeadmin?guid={$vars['entity']->guid}&__elgg_token=$token&__elgg_ts=$ts"));
                    } else {
                        echo elgg_view('output/confirmlink', array('text' => elgg_echo("removeadmin"), 'href' => "{$vars['url']}action/admin/user/removeadmin?guid={$vars['entity']->guid}&__elgg_token=$token&__elgg_ts=$ts"));
                    }
                    }
                }
            }
    ?>

  • \engine\lib\admin.php

    near line 79

    if ($_SESSION['user']->guid == 2){
                add_submenu_item(elgg_echo('admin:plugins'), $CONFIG->wwwroot . 'pg/admin/plugins/');
                }

  • the first post is the file that will create limitted ability for anyone but you as admin, just a ban feature and a reset password

    the second removes access to the plugins menu

  • \actions\admin\user\ban.php

    <?php
        /**
         * Elgg ban user
         *
         * @package Elgg
         * @subpackage Core
         * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
         * @author Curverider Ltd
         * @copyright Curverider Ltd 2008-2009
         * @link http://elgg.org/
         */

        require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
       
        // block non-admin users
        admin_gatekeeper();
        action_gatekeeper();
       
        // Get the user
        $guid = get_input('guid');
        $obj = get_entity($guid);
        if ($guid!=2){
        if ( ($obj instanceof ElggUser) && ($obj->canEdit()))
        {
            // Now actually disable it
            if ($obj->ban('banned')) {
                system_message(elgg_echo('admin:user:ban:yes'));
            }
            else
                register_error(elgg_echo('admin:user:ban:no'));
        } else {
            $canedit = $obj->canEdit();
            $isinstance = ($obj instanceof ElggUser);
            register_error(elgg_echo('admin:user:ban:no'));
        }
        }
        forward('pg/admin/user/');
        exit;
    ?>

  • that last one protects your account from being banned

  • Thanks @Zak I'll Install imediatly is there also a way to protect future commands that I made need to block, like a way to block ppl other then me from disabling plugins? Thanks soooooooo much man, I'll tell you if there's any problems and report back later, I'm "hacking" the code right now, thanks again :)