inherit
223980
0
May 19, 2024 9:01:26 GMT -8
dd764ta
3
August 2015
dd764ta
|
Post by dd764ta on Aug 16, 2015 12:11:10 GMT -8
Hi everyone I have a question about the permissions on plugin keys. Is there any way to have permissions based on the user that created the key? For example, when attaching data to a Thread Key, I want only that user that created that thread and staff to be able to modify that key. All other members should be able to see it, but not modify it. I know that there is weak client side validation that can be used such as hiding the UI that modifies the data in the key, but that does not really stop someone from pressing F12 and setting the key from their browser's javascript console. What would be optimal is if that kind of attempt would result in the same error message as when the wrong user attempts to modify a private user key of another member. Any suggestions?
|
|
inherit
217348
0
Jul 27, 2022 7:26:44 GMT -8
Lynx
5,849
January 2015
msg
|
Post by Lynx on Aug 16, 2015 13:25:04 GMT -8
A Thread Key will have its data accessible whenever the thread it contains data for is on the current page. As far as I know, there is no "selective write" except from the Key Permissions found in your builder's UI tab.
|
|
#00AF33
Official Code Helper
19529
0
1
Nov 19, 2012 14:18:28 GMT -8
Todge
**
17,324
January 2004
todge
|
Post by Todge on Aug 16, 2015 13:43:52 GMT -8
Lynx is correct. The only way you'd be able to have that kind of selectivity is to write it into the plugin's code. For example, when the thread is created, the creator's member ID is written to the thread key, then use that as a check when the key is being written to in the future.
|
|
inherit
223980
0
May 19, 2024 9:01:26 GMT -8
dd764ta
3
August 2015
dd764ta
|
Post by dd764ta on Aug 16, 2015 13:53:54 GMT -8
Thanks for the answers MSG and Todge Unfortunately writing that selectivity into the plugin's code cannot stop someone with mal-intent from clearing or manipulating it with one easy line of js in their browser's console though. I was hoping for some more secure way that could be validated on the server side when setting the value of the plugin key.
|
|
#00AF33
Official Code Helper
19529
0
1
Nov 19, 2012 14:18:28 GMT -8
Todge
**
17,324
January 2004
todge
|
Post by Todge on Aug 16, 2015 16:05:08 GMT -8
There's not much you can do unfortunately..
You could use localStorage as a backup, the code could then check one against the other and if they don't match, rewrite it, but to be honest, few normal members have the know-how to use the browser console to re-write the key, and I doubt that those that do would bother.
|
|
inherit
201984
0
Sept 11, 2023 1:23:07 GMT -8
P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓
Using My Talents Elsewhere
3,314
November 2013
pastuleo23
|
Post by P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓ on Aug 16, 2015 18:22:24 GMT -8
You shouldnt need anything that secure or you might as Well scratch the idea of total security and go to php on your own server lol
|
|
inherit
223980
0
May 19, 2024 9:01:26 GMT -8
dd764ta
3
August 2015
dd764ta
|
Post by dd764ta on Aug 17, 2015 17:05:46 GMT -8
Thanks for the info about local storage Todge. While I know it is uncommon, I would not want to start a new custom section of the forum built upon a plugin that was so vulnerable. Unlikely that someone would abuse it? Maybe, depending upon the forum visitors. But one bad apple that knows how to google could ruin it for everyone and there is no recovery and the proboards security log won't even show who did it. P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓, I don't think that it is much to ask that a plugin key on a post honors the user that posted it as the owner. I'm not trying to make a secure credit card processor out of a forum plugin or anything, but this lack of security would make me feel uncomfortable with anything that my members are trusting my forum to keep safe. Would you feel safe hosting a forum where the edit post feature had no server side validation? Also if I were running my own server I wouldn't be on this forum asking about this. I am now looking at other options like Parse.JS to store the actual data. If it is allowed with proboards rules, it may be viable. The proboards private user key may be able to bridge a user to an external data store that can maintain some level of security while making it publicly viewable without publicly editable to all.
|
|
inherit
201984
0
Sept 11, 2023 1:23:07 GMT -8
P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓
Using My Talents Elsewhere
3,314
November 2013
pastuleo23
|
Post by P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓ on Aug 17, 2015 21:59:52 GMT -8
Thanks for the info about local storage Todge. While I know it is uncommon, I would not want to start a new custom section of the forum built upon a plugin that was so vulnerable. Unlikely that someone would abuse it? Maybe, depending upon the forum visitors. But one bad apple that knows how to google could ruin it for everyone and there is no recovery and the proboards security log won't even show who did it. P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓, I don't think that it is much to ask that a plugin key on a post honors the user that posted it as the owner. I'm not trying to make a secure credit card processor out of a forum plugin or anything, but this lack of security would make me feel uncomfortable with anything that my members are trusting my forum to keep safe. Would you feel safe hosting a forum where the edit post feature had no server side validation? Also if I were running my own server I wouldn't be on this forum asking about this. I am now looking at other options like Parse.JS to store the actual data. If it is allowed with proboards rules, it may be viable. The proboards private user key may be able to bridge a user to an external data store that can maintain some level of security while making it publicly viewable without publicly editable to all. external files that a plugin uses must be loaded asynchronously
|
|
inherit
216224
0
Aug 1, 2024 1:18:46 GMT -8
Quozzo
408
November 2014
quozzo
|
Post by Quozzo on Aug 24, 2015 1:15:42 GMT -8
P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓, I don't think that it is much to ask that a plugin key on a post honors the user that posted it as the owner. I'm not trying to make a secure credit card processor out of a forum plugin or anything, but this lack of security would make me feel uncomfortable with anything that my members are trusting my forum to keep safe. Would you feel safe hosting a forum where the edit post feature had no server side validation? Also if I were running my own server I wouldn't be on this forum asking about this. It is possible. The plugin interface has a Key Permission form field which restricts access to the keys read and/or write access. It can allow everyone to read the key and only the post creator to edit the key, not even admins unless specified in the plugin's Key Permissions.
|
|