HUGE ACCESS CONTROL PROBLEM @brett

I am having a huge problem with access control, I know a little bit about code but still need a bit of detailed help. I am having the problem with my admins. My admins are changing user's profiles as a joke and even locking them out of their accounts! But I can't fire them cause they know and opperate different sections of the site. So I want to edit the core elgg code so that all guids but mine (2) gets locked out of admin password reset on user, admin edit user profile, admin remove admin, and admin delete account. This is so I can only run: admin password reset on user, admin edit user profile, admin remove admin, and admin delete account. Where and what in the elgg code would I edit, thank you for all of your help as this problem must be resolved in a matter of days! I am sorry if this is in the wrong group and I would appreciate your help, esspecially you, @brett.

  • read tzu sun.

    first thing is that if i had your problem with admins doing things that they should not be doing, destroying my user base, it would be goodbye immediately. you need to act and not become a prisoner to the antics of others, immediately.

    then fix the permissions.

    here is why, if they are doing this to others as a joke, they can do this to you as well. nothing is stopping them from ruining access to your own site.

  • I understand and I have removed the admins causing problems but I want to be able to fix this probelms by making it so I can only run: admin password reset on user, admin edit user profile, admin remove admin, and admin delete account. All other admins would not be able to do the above. With that said is tere a way, and please specify in detail, that I could fix all admn's user permissions but mine to be locked out of the above functions. Thank you.

  • yes, this is a huge area of interest and concern on my part as well. there needs to be a super admin level in elgg... and without looking deeply into situation, a "fix" would be to find all areas in which you wish to be the admin and no one else, like with the plugins area.

    you can use the guid tool to find your guid entity and put a condition in wherever there is a check for administration access and further qualify it with whether it matches your specific user entity. then, if you feel you have an admin who deserves and respects your site enough you can add their guid entity to whatever areas you would like to give them control and access too.

    its not really a difficult change, but it would be somewhat time consuming to find all those little places this comes up.

  • I don't mind finding those problems so right now i'm looking at:

        // block non-admin users
        admin_gatekeeper();
        action_gatekeeper();

    What should I change that to to be only the guid "2" which would be me

  • im looking at the most effective way to do this atm, might be a wee bit of time before i have a solid answer for you.

  • Ok thank you so much this is a huge help!

  • @Zak ;-)


    super_admin_gatekeeper()
    clone admin_gatekeeper
    add guid 2 checking
    change all user profile, password, etc core code to call super_admin_gatekeeper()
    setup your paypal donate button.. minimum $50 lolz ;-)

     

  • How would I add guid 2 checking, srry kindof new to certain elgg stuff I know what code your talking about though :)

  • Dhrup! awesome thanks for the tip

    @1gbram i want to know a little more about what you wish.

    Here is the situation. controlling access at a super_admin level is not too difficult, but if I simply super_admin everthing that goes along with the norm admin access, then there is nothing for administrator to do.

    so... what i purpose would be super_admin access to all the IT type functions and the super_admin profile, protecting the status of the super_admin. What this leaves is the normal admin functions like checking the content (if you are using them to watch dog unsuiteable content) and this leaves the ability to ban/edit profiles, but leaves you the power to remove rogue administrators without the fear of them taking over the site.

    I still have to track down all the areas this would apply to, but it is a function i need as well, so i am not losing anything i need done myself.

    @Dhrup any tips for to think of making this more of a plugin rather then a hack?

     

  • @Zak

    I'm on 1/2 throttle today.. Later this evening I will be more settled. Then I will look more into Elgg's functional areas.

    So you prefer not a hack but a PlugIn ? ;-) Marcus Povey posted some really smart interceptor code to trap *all "page draw" events and then do anything we like at that moment. I will check that blog (saved his notes on my portable drive) and then see how that can be used to intercept "super-admin" funcs and from there call the super_admin_gatekeeper() to allow or block ;-) Should work like a tiger !!!