Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Role List Fix

FyorlFyorl
edited January 2008 in Vanilla 1.0 Help
Role List Fix
«1

Comments

  • DG55DG55
    Great! Although is it right that you cannot change someones role to the same level as yours? So moderators cant make other people moderators?

    Also, it still boots you back to the homepage when you try to edit the role of someone on your same level. Is it easy to have an error instead?

    Good work though!
  • FyorlFyorl
    Yeah the logic is correct, you can't change someone to the same role as you. Otherwise moderators may just make their friends moderators without consulting the person(s) above them. And yes, it does still boot you back but that's only because you shouldn't be able to reach their role-changing page at all as the link is removed. If the link is removed, the only way you should be able to access their role changing page is through devious methods in which case a firm boot is necessary.
  • DG55DG55
    Ok, cool. But I think there should be at least some kind of javascript error. So it boots you back and then brings up a window saying 'you cannot edit a member with a higher or equal role to yourself'.

    Otherwise if I set this up for someone I'll get loads of support queries saying that its broken! As long as they know that they cant, its all good...

    Cheers.
  • FyorlFyorl
    Yeah I see what you mean but I don't see how they're accessing the user's change role page at all. If they have the 'change role' permission and then go to a user's profile. If they look on the sidebar, the 'Change Role' link will be there if they can edit them or it won't be there if they don't have permission. It's as simple as that. Unless a user is specifically trying to undermine the system, they should never be in a position to be booted back. The only thing I can think of is if there's another way to access that role change page that I missed. I'm assuming you just went to account/userID/?PostBackAction=Role to get to that without clicking the link? If not then can you tell me what link you clicked to get there and I'll patch it up. I may still add an error message to the index for compatibility with other extensions as they may provide a link to the role-change page which I won't be in a position to block.
  • Lussumo BotLussumo Bot New
    Uploaded version 1.1 of Role List Fix.
  • fysicsluvrfysicsluvr New
    wait, but if you're admin (or whatever the top role is) you can't promote someone else to admin? that should be fixed, don't you think? Better yet, it should be like a permission; Like a certain role is allowed to promote people up to XYZ role, then they can't. just checking - in the database table for roles, there's 2 numbers, one is RoleID, and the other one is Sort. (or something like that) The roleid has to do with the order the roles were created in, the one that you should be using to check if a user can edit a certain role is sort. (again, I'm just checking, this seems like a likely mistake)
  • BenBen
    The Priority field is what the extension is using to determine whether you can edit that user's role. You can only edit those who are of a role with a lower priority than you. Unless you're the Administrator.

    The Administrator can do whatever they wish, the logic specifically excludes the highest ranked user (according to the priority field) from being restricted.
  • FyorlFyorl
    wait, but if you're admin (or whatever the top role is) you can't promote someone else to admin?
    Yeah, you can. It's mentioned a few times in this thread but it's unclear here.

    Using a permissions system to allow certain roles to promote certain other roles to certain roles could get quite complicated, quite fast. I think the current priority system is easy to understand and allows you a decent amount of flexibility. The only thing I'd add is to allow some roles to have the same priority as others (effectively being on the same level).

    I'll probably add it sometime but for now, this fixes the main role issues.
  • DG55DG55
    The directories are a bit screwed in the 1.1 version Fyorl...

    What did you change in 1.1 by the way?
  • FyorlFyorl
    In the 1.1 I fixed the redirection so that you actually saw the errors. What do you mean by 'the directories are a bit screwed'? Is it just the extension archive, not actually Vanila? I haven't actually looked at what I uploaded, the archive was created by a build script I made. I'll have a look now.
  • Lussumo BotLussumo Bot New
    Uploaded version 1.1 of Role List Fix.
  • FyorlFyorl
    Yeah, the directory structure's fixed now. I'll amend my build script to not be so stupid >_<
  • fysicsluvrfysicsluvr New
    one way to be able to tell which is the admin role, is to see which role user # 1 is. I don't think you can change the role of user 1, and its called administrator by default.
  • FyorlFyorl
    Yeah, Ben just tested. User #1 can't have their role changed. If there are any problems with the current method then I'll switch over to that.
  • DG55DG55
    I've updated to 1.1, twice to be sure. It doesn't seem to show the errors at all.
  • FyorlFyorl
    Yeah sorry, that's not what I meant by it showing errors. It will show errors if you try to fabricate some form data to send. It still doesn't show errors when you try to change a user's role who is of a higher rank than you because there's no button to get to that user's role change page anymore. If you're accessing the role change page from somewhere else that I didn't notice then please tell me and I'll fix it otherwise I don't see why an error message is necessary. If you want to change a user's role you go to their account and click 'change role' on the side. If that user's higher rank than you then you won't see that button anymore. Therefore, if you still wanted to get to that user's role change page you'd have to manually append ?PostBackAction=Role to the URL at which point you already know you shouldn't be doing that. So if you do that and get kicked back to the index it's not like you don't know what you've done wrong and the redirection is a complete mystery.
  • DG55DG55
    I see, but the thing is that you can still see the change role button.

    This is how a moderator sees an administrator...

  • FyorlFyorl
    That change role button on the right should not be there for users of a higher rank than you. If it is visible then that's a bug and I will look into fixing it. What theme is that?
  • wetcirclewetcircle
    thank you for this patch, Fyorl. this should be built in to the core of vanilla's next release!
  • FyorlFyorl
    I also think it should be however the problem is that some people don't seem to understand the problem with the current role system.
This discussion has been closed.