Gossamer Forum
(Advanced Search)
for
Home : Products : Gossamer Links : Discussions :

Editor Security Issue

Apr 18, 2002, 9:25 PM
Ian
Veteran / Moderator (2577 posts)
Apr 18, 2002, 9:25 PM
Post #1 of 19
Views: 6286
Shortcut
Quote Reply
Editor Security Issue
I have added some fields to my database which involve money. These fields are associated with a link. Link priority, priority image. (sponsors pay for this).

When an editor is given privilages to add or modify a link, they are then able to change these fields. Of course one should only approve editors thay can trust, but there is no easy way to keep tabs on editors changing these fields.

Is there a way I can hide certian fields from the link and category edit/add forms from editors and only I can see them in the admin panel?

I currently have:

Title
URL
LinkOwner
Add Date
Mod Date
Description
Contact Name
Contact Email
Hits
isValidated ---NoYes
Rating
Votes
Priority ---YesNo
Priority Image

I want the following to be seen by the Editor:

Title: Yes
URL: Yes
Link Owner: Yes
Add Date: No
Mod Date: No
Description: Yes
Contact Name: Yes
Contact Email: Yes
Hits: No
is Validated: No
Rating: No
Votes: No
Priority: No
Priority Image: No


This is a becoming a serious secuirty issue for me and I would appreciate any help anyone could offer on this.

Thanks very much.

Last edited by:

sooke: Apr 18, 2002, 9:33 PM
Apr 18, 2002, 9:41 PM
Stealth
Veteran (17240 posts)
Stealth's avatar
Apr 18, 2002, 9:41 PM
Post #2 of 19
Views: 6167
Shortcut
Quote Reply
Re: [sooke] Editor Security Issue In reply to
Couple suggestions:

1) Make those fields NOT REQUIRED -or- Allow NULL values.

2) If you want to make those fields required -or- NOT NULL, then you could edit the modify.cgi to pull in the "original" values.

3) Or you could add hidden fields in the editor template form files.
========================================
Buh Bye!

Cheers,
Me
Apr 18, 2002, 9:46 PM
Ian
Veteran / Moderator (2577 posts)
Apr 18, 2002, 9:46 PM
Post #3 of 19
Views: 6161
Shortcut
Quote Reply
Re: [Heckler] Editor Security Issue In reply to
Thanks for the quick reply!

The trouble is, I cannot find which template actually contains these forms that the editor is presented. I have looked in all my browser*.html files. The best I can see is a <%form%> value.

I like your idea of presenting hidden values from the form. Is the form template the same template that is used for my admin panel? If so how can I make these fields show up for me, and not for the editors?

Last edited by:

sooke: Apr 18, 2002, 9:47 PM
Apr 19, 2002, 12:43 AM
Andy
Veteran / Moderator (18441 posts)
Andy's avatar
Apr 19, 2002, 12:43 AM
Post #4 of 19
Views: 6203
Shortcut
Quote Reply
Re: [sooke] Editor Security Issue In reply to
What template set are you using? If 'default' then it should be in include_form.html.

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Apr 19, 2002, 12:55 AM
Ian
Veteran / Moderator (2577 posts)
Apr 19, 2002, 12:55 AM
Post #5 of 19
Views: 6188
Shortcut
Quote Reply
Re: [Andy.] Editor Security Issue In reply to
Hi Andy, I am using the Yahoo template set.

My include_form seems to be for the user to modify or add a link on-line... not the form which is displayed in the editor browse section... it seems to be missing all thefields???Crazy
Apr 19, 2002, 1:13 AM
Ian
Veteran / Moderator (2577 posts)
Apr 19, 2002, 1:13 AM
Post #6 of 19
Views: 6148
Shortcut
Quote Reply
Re: [Andy.] Editor Security Issue In reply to
I've found some thiings the look like it is generating the browser form in browser.pm. But this file is way beyond my knowldge to modify Unimpressed
Apr 19, 2002, 8:58 AM
Ian
Veteran / Moderator (2577 posts)
Apr 19, 2002, 8:58 AM
Post #7 of 19
Views: 6145
Shortcut
Quote Reply
Re: [sooke] Editor Security Issue In reply to
In Reply To:
I have added some fields to my database which involve money. These fields are associated with a link. Link priority, priority image. (sponsors pay for this).

When an editor is given privilages to add or modify a link, they are then able to change these fields. Of course one should only approve editors thay can trust, but there is no easy way to keep tabs on editors changing these fields.

Is there a way I can hide certian fields from the link and category edit/add forms from editors and only I can see them in the admin panel?

I currently have:

Title
URL
LinkOwner
Add Date
Mod Date
Description
Contact Name
Contact Email
Hits
isValidated ---NoYes
Rating
Votes
Priority ---YesNo
Priority Image

I want the following to be seen by the Editor:

Title: Yes
URL: Yes
Link Owner: Yes
Add Date: No
Mod Date: No
Description: Yes
Contact Name: Yes
Contact Email: Yes
Hits: No
is Validated: No
Rating: No
Votes: No
Priority: Seen but not be able to modify.
Priority Image: No


This is a becoming a serious secuirty issue for me and I would appreciate any help anyone could offer on this.

Thanks very much.




I would like the priority to be seen by editors but not editable. This way editors know not to delete sponsored links.

I have looked through all of the browser_*_*_form.html files, and I these seem to contain the <%form%> command.... which I cannot find anywhere to be able to modify.

HelpSmile

Last edited by:

sooke: Apr 19, 2002, 9:14 AM
Apr 19, 2002, 12:30 PM
yogi
Veteran / Moderator (2199 posts)
Apr 19, 2002, 12:30 PM
Post #8 of 19
Views: 6131
Shortcut
Quote Reply
Re: [sooke] Editor Security Issue In reply to
What you need is Browser.pm, I think. There you will find sub link_add_form and related things. You can change the code there directly (i.e. you would probably want to set "hide" (line 896) dependent on the user permissions).

But I strongly suggest that you write a plugin for that, and that you don't change the code in Browser.pm.

Good luck anyway.

Ivan
-----
Iyengar Yoga Resources / GT Plugins
Apr 19, 2002, 12:39 PM
Alex
Administrator (9387 posts)
Apr 19, 2002, 12:39 PM
Post #9 of 19
Views: 6128
Shortcut
Quote Reply
Re: [sooke] Editor Security Issue In reply to
Hi,

This is not going to be easy to do. The browser.pm is used for the Admin->Browse function as well as the editor code.

We are working on revamping the editor system to make this sort of customization possible.

Cheers,

Alex
--
Gossamer Threads Inc.
Apr 19, 2002, 1:18 PM
Ian
Veteran / Moderator (2577 posts)
Apr 19, 2002, 1:18 PM
Post #10 of 19
Views: 6152
Shortcut
Quote Reply
Re: [Alex] Editor Security Issue In reply to
Thanks for the replies.

What to do? Unsure.... hmmmm. I am glad that this is somthing you will be looking into for a future update. I am wondering what to do in the mean time. It sounds like editing broswer.pm is not the answer in this case - unless there was something I could put into it which would "sense" if it is the administrator or not, and dispaly these fields accordingly.

I understand your point about not editing the browser.pm Yogi. I am still learning how to write plug-ins... so this is not an option for me, yet.

Last edited by:

sooke: Apr 19, 2002, 1:20 PM
Apr 19, 2002, 1:20 PM
Alex
Administrator (9387 posts)
Apr 19, 2002, 1:20 PM
Post #11 of 19
Views: 6153
Shortcut
Quote Reply
Re: [sooke] Editor Security Issue In reply to
Hi,

Well, you could modify browser, just wrap your changes in:

if ($self->{ctrl}->{admin}) {
.. this is the admin
}
else {
.. this is the editor.
}

Cheers,

Alex
--
Gossamer Threads Inc.
Apr 19, 2002, 1:39 PM
Ian
Veteran / Moderator (2577 posts)
Apr 19, 2002, 1:39 PM
Post #12 of 19
Views: 6119
Shortcut
Quote Reply
Re: [Alex] Editor Security Issue In reply to
Thanks Alex... but perl is still a little beyond me (I am learning!) and I may end up with error/holes in this.

I am going to give it the ole college try, but if not, any chance of someone writing a modified browser.pm for me to do this? (Happy to pay a little fee of course.)
Apr 19, 2002, 4:03 PM
Ian
Veteran / Moderator (2577 posts)
Apr 19, 2002, 4:03 PM
Post #13 of 19
Views: 6097
Shortcut
Quote Reply
Re: [Alex] Editor Security Issue In reply to
Just as a suggestion, for revamping the editor area.... some way of tracking what your editors have been up to would be great. For example... see how many times an editor has logged on, and how many validations, modifications, deletions, etc each editor has done... (I pay my editors in advertising credits so this allows me a fair way of determining the amount of work they have done)... just as importantly... you can track down who has been doing the work, or which editors are stale and should be dumped. You might also be able to track down editor abuse and editors that are causing damage to your directories.

Another idea would be way of backing up a particular directory only.... this would be good editor damage prevention.

Food for future thought perhaps.
Apr 19, 2002, 11:59 PM
pugdog
Veteran / Moderator (6956 posts)
Apr 19, 2002, 11:59 PM
Post #14 of 19
Views: 6168
Shortcut
Quote Reply
Re: [sooke] Editor Security Issue In reply to
If you give editors the ability to delete links, and such, the only "fail safe" is a good set of back ups.

One thing you could do, is to log all changes. Any edit to a link, the old link is saved to a backup table, and is available if needed. You can purge that table as needed.

Logging editor changes is fairly intensive, and would mean hooking into the add/modify/delete/validate routines, and doing a "compare" between old and new data to log specific changes.

What have others done to insure data security and integrity with a number of editors running around?


PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.
Apr 20, 2002, 12:13 AM
Ian
Veteran / Moderator (2577 posts)
Apr 20, 2002, 12:13 AM
Post #15 of 19
Views: 6115
Shortcut
Quote Reply
Re: [pugdog] Editor Security Issue In reply to
Yeah, I agree with you there... it may not be worth the effort of tracking....

I am going for prevention is better than cure.

I am having no luck with hiding these fields in browser.pm yet..... still trying to work out what all this means!

I am assuming this is what creates the category add/modify form???? Finding the fields on these forms in the browser.pm is not as easy as I thought.... and perl is not as easy as ASP!

Could someone point me in the right direction? For example how does this show Votes, Priority, Priority Image etc?

Code:


my $h = new GT::SQL::Display::HTML::Table ( { db => $links, input => $IN } );
$self->print_template ( "browser_link_add_form.html",
{
navbar => $navbar,
Name => $category_info->{Name},
category_id => $category_id,
form => $h->form ( { defaults => 1, skip => [ qw /CatLinks.LinkID Timestmp/ ],
hide => [qw/ID isNew isChanged isPopular Status Date_Checked Timestmp/],
file_field => 1, file_delete => 1
}) . "<input type=hidden name='CatLinks.CategoryID' value='$category_id'>"
} );

Last edited by:

sooke: Apr 20, 2002, 12:29 AM
Apr 20, 2002, 10:43 PM
Ian
Veteran / Moderator (2577 posts)
Apr 20, 2002, 10:43 PM
Post #16 of 19
Views: 6085
Shortcut
Quote Reply
Re: [pugdog] Editor Security Issue In reply to
Hmmm, I really think a log of the changes is a great idea!

A log file could be genereated (which you could clear say weekly)... which records:

Link/Category Title, Action (Move, Delete, Validate, Copy etc), Date/Time, By who (which editor or admin)

This would be VERY helpful indeed, and would allow you to see what your editors are up to, if anything. You could also see if an edtior is doing nothing at all.

I have a reward system for my editors, and this would allow me to work out fair compensation for them...

ANY TAKERS ON WRITING THIS ONE??? STAFF OR PERL GURUS?

I am still wanting someone to write a modified Browser.pm or plugin for the hidden form fileds for editors discussed in this forum.... any takers on this can send me a private message. I am looking for a fix until such a thing is included in LSQL.
Jun 25, 2002, 3:29 AM
nt6
User (362 posts)
Jun 25, 2002, 3:29 AM
Post #17 of 19
Views: 6047
Shortcut
Quote Reply
Re: [Alex] Editor Security Issue In reply to
In Reply To:
Hi,

This is not going to be easy to do. The browser.pm is used for the Admin->Browse function as well as the editor code.

We are working on revamping the editor system to make this sort of customization possible.

Cheers,

Alex


When will this editor system be made public?

This is very important for me.
Jun 27, 2002, 7:33 AM
nt6
User (362 posts)
Jun 27, 2002, 7:33 AM
Post #18 of 19
Views: 5962
Shortcut
Quote Reply
Re: [Alex] Editor Security Issue In reply to
Please answer my question.
Oct 4, 2003, 8:16 AM
stilton
User (208 posts)
Oct 4, 2003, 8:16 AM
Post #19 of 19
Views: 5899
Shortcut
Quote Reply
Re: [Alex] Editor Security Issue In reply to
Is it possible to modify the form fields inside the editor to match how they appear in the default modify template? I want to color code certain form fields depending on the editor in charge of that section, but I'm having a difficult time trying to figure out where <%form%> is even located to try anything.

Thanks for any help you can give.
Perl Hopefull