So I have set up a sign in form on the bottom of each of my pages on my website and set up a form with username and password fields. This is directed to a processing page that checks the database to give admin rights to the first field it encounter which will always be my admin account which is in the form of a session variable. On index.php in the php free chat folder I have added a check against that session variable and if true sets $params["isadmin"] = true;. This is all well and good I have it working where it recognizes me as admin and allows me to execute chat commands. My question is this:
When I signed in, at the bottom of the chat frame I have this warning:
Warning: because of "isadmin" parameter, everybody is admin. Please modify this script before using it on production servers !
Maybe I don't fully understand the way it works. I have hoped that by sending the param only to the admin that it would be restricted to that person that signed in. But does this apply to all who will sign in after as well? Is the setting stored somewhere in the file system and used from there on?
Just testing this locally right now before I know it's safe. Is there a better way to do this then?
Anyway wanted to give a big thanks to the people or person who made this great software. I am seeing all kinds of development possibilities and will be making a donation soon!
user rights and admin
Moderators: OldWolf, re*s.t.a.r.s.*2
3 posts
• Page 1 of 1
by love_this_software » Mon Nov 28, 2011 8:38 pm
- love_this_software
- New member
- Posts: 2
- Joined: Mon Nov 28, 2011 8:12 pm
by re*s.t.a.r.s.*2 » Mon Nov 28, 2011 10:15 pm
Hi,
When someone enter the chat as admin, the $params["isadmin"] is set to true at the bottom side of the index.php there is a conditional that test against it , if find that someone is set as admin then it tells you that the parameter is set to true,
does that because it has no way to know that your have already wrapped the parameter to only be given to your registered admin.. but if you safely checked the user that you want to be admin is in fact the user that you want to be admin then you can delete that code because it wont affect the others..
$params["isadmin"] is a dynamic parameter so others wont have the admin meta set..
default as standalone : $params["isadmin"]= true;
if you tested your user..
then
then just rehash..
best regards.
When someone enter the chat as admin, the $params["isadmin"] is set to true at the bottom side of the index.php there is a conditional that test against it , if find that someone is set as admin then it tells you that the parameter is set to true,
does that because it has no way to know that your have already wrapped the parameter to only be given to your registered admin.. but if you safely checked the user that you want to be admin is in fact the user that you want to be admin then you can delete that code because it wont affect the others..
$params["isadmin"] is a dynamic parameter so others wont have the admin meta set..
default as standalone : $params["isadmin"]= true;
if you tested your user..
then
- Code: Select all
$params["isadmin"]= false;
// where foo is the session that hold the admin session
if($foo)
{
$params["isadmin"] =true;
}
then just rehash..
best regards.
- re*s.t.a.r.s.*2
- Support Team
- Posts: 612
- Joined: Wed Sep 24, 2008 4:04 pm
- Location: los angeles CA
by love_this_software » Mon Nov 28, 2011 11:34 pm
Yeah that is pretty much what i've done. Dunce that I am I realized after posting that I could just test this by signing in as a regular user in a different browser. Now IE won't even display the chat????? Oh well, still great software. Hope to sort it out soon. Thanks for your help.
- love_this_software
- New member
- Posts: 2
- Joined: Mon Nov 28, 2011 8:12 pm
3 posts
• Page 1 of 1
Return to General Support (v1.x)
Who is online
Users browsing this forum: No registered users and 27 guests
