Permissions for Who's Online admin/mod centre #4976
Conversation
…per issue SimpleMachines#4972 Signed-off-by: James Robson <git@sorck.net>
| elseif (in_array('moderate_forum', $allowedActions[$actions['action']])) | ||
| $data[$k] = $txt['who_moderate']; | ||
| elseif (in_array('admin_forum', $allowedActions[$actions['action']])) | ||
| $data[$k] = $txt['who_admin']; | ||
| else |
There was a problem hiding this comment.
We should leave this here, so it still shows the generic admin/mod messages for those without access.
There was a problem hiding this comment.
Do we consider it a privacy/security issue to show an admin working in the admin centre if that user has no way to view the admin centre?
Assuming that doesn't matter, they could be expanded quite a bit for completeness as admin_forum is not a permission needed for many admin centre areas. We may also need another integration hook to cover any other actions that may want to declare themselves as a mod centre/admin panel page.
We could then either do it as an array with a list of permissions that defines the admin panel, or a list of areas that are within the admin panel.
// If a page has one of these permissions then it is in the approapriate major action, like the admin or moderation centre.
// the admin and moderate items can initially be populated from the 'admin' and 'moderate' keys in $allowedActions
$majorActionPermissions = array(
'admin' => $allowedActions['admin'],
'moderate' => $allowedActions['moderate'],
);
// Allow mods to add to the major action areas
call_integration_hook('integrate_who_major_actions', &$majorActionPermissions);
// Check if we should show a major action message
foreach ($majorActionPermissions as $action => $permissions)
if (!empty(array_dif($permissions, $allowedActions[$actions['action']]))
$data[$k] = $txt['who_' . $action];Or if it was area based.
// Used to find out if the current area is part of the mod centre/admin centre
$majorActionAreas = array(
'admin' => array(
'admin',
'packages',
'etc',
),
'moderate' => array(
'moderate',
),
);
// Allow mods to add to the major actions
call_integration_hook('integrate_who_major_actions', &$majorActionAreas);
// Only check against major action messages if we are in a large area
if (isset($actions['area']))
foreach ($majorActionAreas as $action => $areas)
if (in_array($action, $areas))
$data[$k] = $txt['who_' . $action];Benefits:
- mods can add themselves as major actions with sub areas
- mods can declare their areas as being in the admin centre or mod centre
There was a problem hiding this comment.
We have had the setup that way for a long time, even possibly in YabbSE. So I wouldn't consider it a risk. Not much can be identified by what they are doing. Just that they are in a mod or admin area.
The hook sounds great, but need others to provide input on how specific we get. I would go with the first and let the mod authors handle that.
There was a problem hiding this comment.
So $allowedActions would be for normal non-admin/mod actions only?
If it's like that it sounds great, I wouldn't mind either of the suggestions both are nice.
Signed-off-by: Jon Stovell <jonstovell@gmail.com>
Do not reveal admin and mod centre usage unless allowed to see it as per issue #4972
Signed-off-by: James Robson git@sorck.net