Forums: [SOLVED] Security question - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

[SOLVED] Security question Rate Topic: -----

#1 User is offline   Michael2 

  • Member
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 10-April 18

Posted 09 February 2019 - 07:59 PM

I'm on phpr 10, using static persmissions, with user groups default, admin, and users (I'm using the group-name as groupID field value).
This small project only has an administrator and users that can register.

Newly (successfully) registered users should automatically belong to the group 'users'.

In other words:
1) should I include the group field on the registration page with a default value of 'users' with no other choice?
-->is this safe from frontend-hacking, i.e.: user supplying another value for the POST back to the server (with parameter 'admin'). So: does the server only accept 'users' as a value in this scenario or would I need to add validation?

2) or is it better to not include the group field on the registration page and write the value 'users' in the after successful registration event to the appropriate field?
(and: would this also be safe from user manipulations by supplying addiitional (guessed) parameters in the POST back?)

I hope I was clear enough. Feeling a bit paranoid at the moment;-)
Thanks very much.
0

#2 User is offline   Tandy Services 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 77
  • Joined: 03-January 16
  • Gender:Male
  • Location:All Over The USA
  • Interests:Like trying to build different kinds of websites.

Posted 10 February 2019 - 10:46 AM

View PostMichael2, on 09 February 2019 - 02:59 PM, said:

I'm on phpr 10, using static persmissions, with user groups default, admin, and users (I'm using the group-name as groupID field value).
This small project only has an administrator and users that can register.

Newly (successfully) registered users should automatically belong to the group 'users'.
Link to page
In other words:
1) should I include the group field on the registration page with a default value of 'users' with no other choice?
-->is this safe from frontend-hacking, i.e.: user supplying another value for the POST back to the server (with parameter 'admin'). So: does the server only accept 'users' as a value in this scenario or would I need to add validation?

2) or is it better to not include the group field on the registration page and write the value 'users' in the after successful registration event to the appropriate field?
(and: would this also be safe from user manipulations by supplying addiitional (guessed) parameters in the POST back?)

I hope I was clear enough. Feeling a bit paranoid at the moment;-)
Thanks very much.

What I did was add the usertype field in.. Then added my admin, user and so on. Default is "user"I then made custom view of my login table and named it profile. In the Query of profile table I took out usertype and other things I did not what the user to see add or edit.Then I when to security and in my main login table I had admin see and do everything and users could not.In my profile table I had user see and do what needed and admin could not.
The reason I did it this way was because I could not get the code to work for only admin can see and edit field.. Link to page
Maybe you can get it to work..

0

#3 User is offline   Michael2 

  • Member
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 10-April 18

Posted 10 February 2019 - 03:02 PM

Thanks. I also already use a custom view for my "Profile" page of non-admin users.

What I was asking was more how to handle group assignment for users upon registration, when using static permissions with basically 2 groups: admins and users, but maybe 1 more user-group in the future.
All this with making sure that no one is able to register to the admin group, by accident or "hacking" of POSTs.

I'm sure I'm just overly paranoid...bur wanted to ask how to best not make a mistake here;-)

I was wondering if there's a setting I overlooked about default user group (other than default) for registering users, or whether I should use one of the scenarios I've written above:
1) include the group field in the registration but set a fixed value
2) set the field in the event after successful registration.

Thanks.
0

#4 User is offline   Tandy Services 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 77
  • Joined: 03-January 16
  • Gender:Male
  • Location:All Over The USA
  • Interests:Like trying to build different kinds of websites.

Posted 11 February 2019 - 09:54 AM

View PostMichael2, on 10 February 2019 - 10:02 AM, said:

Thanks. I also already use a custom view for my "Profile" page of non-admin users.

What I was asking was more how to handle group assignment for users upon registration, when using static permissions with basically 2 groups: admins and users, but maybe 1 more user-group in the future.
All this with making sure that no one is able to register to the admin group, by accident or "hacking" of POSTs.

I'm sure I'm just overly paranoid...bur wanted to ask how to best not make a mistake here;-)

I was wondering if there's a setting I overlooked about default user group (other than default) for registering users, or whether I should use one of the scenarios I've written above:
1) include the group field in the registration but set a fixed value
2) set the field in the event after successful registration.

Thanks.

Put the default as "user". If you have the usertype (GroupID) under your admin login and then in profiles you take that out. They can't move themselves to admin. They can't see it as long as they are only able to edit profiles.Now for hacking. There really is no safe way on a website. If it is out there in the www you are always subject to hackers. You can use the locking and brute force stuff to slow them down and hopefully catch it.

0

#5 User is offline   Michael2 

  • Member
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 10-April 18

Posted 11 February 2019 - 08:09 PM

Since I might have to have another user group I don't want to use the default group.
My question was about how to safely set registrating users to a specific user group.

Of course there are all kinds of threats, but this was about a specific aspect, and I'm asking since I don't know enough about the inner workings of phpr (and am glad at the same time, since it's such an awesome tool).

Cheers, Michael
0

#6 User is offline   admin 

  • Administrator
  • PipPipPip
  • Group: Admin
  • Posts: 16224
  • Joined: 03-February 03
  • Gender:Male

Posted 11 February 2019 - 10:19 PM

Set default value of GroupID field to any group name of your choice be that "default", "user" or "customer".
Best regards,
Sergey Kornilov
0

#7 User is offline   Michael2 

  • Member
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 10-April 18

Posted 11 February 2019 - 11:14 PM

thanks Sergey.
0

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users