This topic is locked
[SOLVED]

 Security question

2/9/2019 2:59:33 PM
PHPRunner General questions
M
MikeT author

I'm on phpr 10, using static persmissions, with user groups default, admin, and users (I'm using the group-name as groupID field value).

This small project only has an administrator and users that can register.
Newly (successfully) registered users should automatically belong to the group 'users'.
In other words:

  1. should I include the group field on the registration page with a default value of 'users' with no other choice?

    -->is this safe from frontend-hacking, i.e.: user supplying another value for the POST back to the server (with parameter 'admin'). So: does the server only accept 'users' as a value in this scenario or would I need to add validation?
  2. or is it better to not include the group field on the registration page and write the value 'users' in the after successful registration event to the appropriate field?

    (and: would this also be safe from user manipulations by supplying addiitional (guessed) parameters in the POST back?)
    I hope I was clear enough. Feeling a bit paranoid at the moment;-)

    Thanks very much.

Tandy 2/10/2019



I'm on phpr 10, using static persmissions, with user groups default, admin, and users (I'm using the group-name as groupID field value).

This small project only has an administrator and users that can register.
Newly (successfully) registered users should automatically belong to the group 'users'.

Link to page

In other words:

  1. should I include the group field on the registration page with a default value of 'users' with no other choice?

    -->is this safe from frontend-hacking, i.e.: user supplying another value for the POST back to the server (with parameter 'admin'). So: does the server only accept 'users' as a value in this scenario or would I need to add validation?
  2. or is it better to not include the group field on the registration page and write the value 'users' in the after successful registration event to the appropriate field?

    (and: would this also be safe from user manipulations by supplying addiitional (guessed) parameters in the POST back?)
    I hope I was clear enough. Feeling a bit paranoid at the moment;-)

    Thanks very much.



What I did was add the usertype field in.. Then added my admin, user and so on. Default is "user"I then made custom view of my login table and named it profile. In the Query of profile table I took out usertype and other things I did not what the user to see add or edit.Then I when to security and in my main login table I had admin see and do everything and users could not.In my profile table I had user see and do what needed and admin could not.

The reason I did it this way was because I could not get the code to work for only admin can see and edit field.. Link to page

Maybe you can get it to work..

M
MikeT author 2/10/2019

Thanks. I also already use a custom view for my "Profile" page of non-admin users.
What I was asking was more how to handle group assignment for users upon registration, when using static permissions with basically 2 groups: admins and users, but maybe 1 more user-group in the future.

All this with making sure that no one is able to register to the admin group, by accident or "hacking" of POSTs.
I'm sure I'm just overly paranoid...bur wanted to ask how to best not make a mistake here;-)
I was wondering if there's a setting I overlooked about default user group (other than default) for registering users, or whether I should use one of the scenarios I've written above:

  1. include the group field in the registration but set a fixed value
  2. set the field in the event after successful registration.
    Thanks.

Tandy 2/11/2019



Thanks. I also already use a custom view for my "Profile" page of non-admin users.
What I was asking was more how to handle group assignment for users upon registration, when using static permissions with basically 2 groups: admins and users, but maybe 1 more user-group in the future.

All this with making sure that no one is able to register to the admin group, by accident or "hacking" of POSTs.
I'm sure I'm just overly paranoid...bur wanted to ask how to best not make a mistake here;-)
I was wondering if there's a setting I overlooked about default user group (other than default) for registering users, or whether I should use one of the scenarios I've written above:

  1. include the group field in the registration but set a fixed value
  2. set the field in the event after successful registration.
    Thanks.



Put the default as "user". If you have the usertype (GroupID) under your admin login and then in profiles you take that out. They can't move themselves to admin. They can't see it as long as they are only able to edit profiles.Now for hacking. There really is no safe way on a website. If it is out there in the www you are always subject to hackers. You can use the locking and brute force stuff to slow them down and hopefully catch it.

M
MikeT author 2/11/2019

Since I might have to have another user group I don't want to use the default group.

My question was about how to safely set registrating users to a specific user group.
Of course there are all kinds of threats, but this was about a specific aspect, and I'm asking since I don't know enough about the inner workings of phpr (and am glad at the same time, since it's such an awesome tool).
Cheers, Michael

admin 2/11/2019

Set default value of GroupID field to any group name of your choice be that "default", "user" or "customer".

M
MikeT author 2/11/2019

thanks Sergey.