Geeklog Forums

I'd like to restrict "Story admin" access to a specific topic to a certain "group" of users other than Story Admin. Currently, You can assign a Topic to the Topic Admin (which is kinda backwards). Why would you want to be able to assign Topic access to say.. User Admin? What I want do is restrict "story admin" access to specific topics by creating a new group to assign Topics to? Man i'm dizzy thinking about that...

---

--Ted(Ectropian)

I'm afraid that's not possible. When you assign the story.edit and/or story.moderate rights to a user (or add him/her to the StoryAdmin group), those rights are valid for all stories. It is not possible to restrict those rights to certain topics. The group selection in the topic editor is to give access rights to readers of that topic (though that doesn't work properly in 1.3.5sr2 - will be fixed in 1.3.6). bye, Dirk

Thanks. I think... Looking further, I see you can restrict read/edit access down to just the owner. Which I guess is what I was thinking. BUT the person who is "owner" has to actually CREATE the Topic currently. Any way to edit the "owner" of a topic so that restrictions can be assigned down from there? Again, I'm a bit confused at the difference bettween "Access right" and "permissions" It would see that If you don't have permission to Read, then what difference would Access rights have to do with a particular story/topic ? --Ectropian

---

--Ted(Ectropian)

Hmm, no, you can't edit the owner of a topic (actually, you can't edit the owner of anything) in Geeklog. You could, however, do that directly in the database ... The whole access rights / permissions concept is (loosely) based on what you have on a Unix system: Each file or directory is owned by someone and that someone is in at least one group. However, the owner can still give read and/or write access to his files to people who are in the same group - or even to everyone. Try to look at it from this point of view. bye, Dirk

So where is my chown? Maybe that sould be a root switch? I can't imagine why someone hasn't thought of this before. I see 1 user/group having access to edit/delete ALL stories in ALL topics a bit extreme don't you? Almost like Root-stories? Why have root? Anyway.. for the time being. Where would I look to change owner of a topic in the db?

---

--Ted(Ectropian)

If you are basing the security or "access" level of users on the unix style user system. Maybe you can explain how a sub-user, given user admin status, can change the password on a Root user? This is not good. I understand that certain precautions need to be made when choosing a 'user admin', but that doesn't negate the fact that a user admin can basically lock-out a root admin. Again.. Just observations Are there any plans on changing the user system in the near future?

---

--Ted(Ectropian)

The user permissions are a very powerful feature of Geeklog which, however, hardly anyone has been using so far. That explains why there are still errors in this code (which we attempt to fix in 1.3.6). To change the owner of a topic, have a look at the gl_topic table in your database. It has a field named "owner_id" which holds the user id of the owner of that topic. The user id is the same as the "uid" field in the gl_users table. bye, Dirk

As soon as you give any user the user.edit right, that user can change the password of any other user. I don't see anything wrong with this approach. If you don't trust a user, don't give him such powers ... As for GL 2: It is my understanding that it is planned to keep the access rights / permissions system mostly as it is now (with some possible refinements, e.g. the "chown" equivalent you suggested). bye, Dirk

Yes, for security reasons, I can see why one would be very careful who to give user-admin rights to. It just seems to negate the hierarchel structure by basically giving root access to user passwords (including root users). Maybe root users should be protected against such treachery?

---

--Ted(Ectropian)

I know this is months out of date, but I thought I'd share what I've done to try and overcome this lack. In admin/moderate.php in the itemlist function (around line 237 in release version 1.3.6), I modified a couple of lines: for ($i = 1; $i <= $nrows; $i++) { $A = DB_fetchArray($result); -> $hacked_tid = $A['tid'] . " Moderator"; -> if ($type == 'story' && !SEC_inGroup ( $hacked_tid) ) { -> continue; -> } if ($type == 'story') { $A[2] = strftime("%c",$A[2]); Then I added new groups named "TOPICAREA Moderator" where TOPICAREA is the name of each Topic. The group just has story.edit and story.moderate permissions. I set each topic to give read/edit perms to the associated group, then made the user I want to moderate a topic a member of the new group. It doesn't prevent anyone from doing moderation if they're determined, but it does just keep the articles they aren't SUPPOSED to moderate out of casual view. Additional tweakage is required to fix the number of submissions listed in the Admin block and remove the SUBMIT button if there are no displayed stories. Still, it beats just letting it all hang out. Pay no attention to the man behind the curtain. :-) In the longer term, I would think extending the db schema to include per topic moderation would be a fundamental requirement for using Geeklog in anything other than single user sites. Especially for corporate or intranet-type uses. Anyways, hope this helped somebody.