Welcome to Geeklog Thursday, October 28 2021 @ 05:15 pm EDT

Geeklog Forums

security groups not clear


Status: offline

remy

Forum User
Full Member
Registered: 09/06/03
Posts: 161
Location:Rotterdam & Bonn
sick
Somehow I can't figure out what the difference is between the groups 'All users' and 'Logged-in users'.
The database table says that only user 1 (Anonymous) is not part of 'Logged-in users'. User 1 (Anonymous) is part of 'All users'.
The name 'Logged-in' is confusing; the group should be named 'Registered users', which is weird too, since you can't be a user without registering.
So, there is a huge redundancy with 2000 users. Increasingly if one needs own grouping.

I'm dead. I can't see that this redundancy is needed to distinguish the permissions of Anonymous from the rest.
Anybody to call me to life again?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Often you want to hide certain things from non-registered users - that's when you need to distinguish who's a registered user and who isn't.

bye, Dirk
 Quote

Status: offline

remy

Forum User
Full Member
Registered: 09/06/03
Posts: 161
Location:Rotterdam & Bonn
Oh, yes. I totally agree with you, Dirk.

I still don't see why I must have 2000 records in table['group_assignments'] for 'ALL users' AND 1999 records in the same table for 'Logged-in users'. The only difference in those groups is $_USER['uid'] = 1.

I do think that a group 'Anonymous' with only 1 member does the job better. This concept is transparant with the permission block. That block does state 'tick for anonymous access'.

Resume. The name 'Logged-in' is confusing. This group contains all users, exept user Anonymus, uid=1. The name does not have any relationship with the process of log-in. It does say that the user once created an account. Nobody knows if he/she ever logged-in. In this way, the use of the name is very identical to the use of 'All users' when Anonymous is kicked of 'All users' and no longer hidden from the user-lists.

Cheers!
 Quote

Status: offline

remy

Forum User
Full Member
Registered: 09/06/03
Posts: 161
Location:Rotterdam & Bonn
Revisiting the table [group_assignments]

The permission system tests the uid to detect the 'Geeklog SuperUser'. If uid = 2, then any privilege is assumed.
This could be done in a similar way for Anonymous too: if uid = 1, then no privilege is assumed.
And, furthermore, if uid > 2 then the privilege of Logged_in_Users is assumed.
These changes can eliminate two heavy populated groups, All_Users and Logged_in_Users.

Unless, there are some other effects emanating of whom I'm not aware of.

This brings me to the question : why is it necessary for GeekLog to have all groups added to the Root Group?

Example:
1. The group 'Group Admin' is added to the Root Group.
2. The group 'User Admin' is added to the group 'Group Admin'.
3. The group 'User Admin' is added to the Root Group.

Why is (3) necessary?
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 27/09/05
Posts: 1438
The setup of Geeklog Security was before my time so I would have to look into things a little more to be 100% sure.

Root User may not necessarily be id of 2. Root group requires at least 1 user to be in root so if another user exists then id 2 could be deleted. (I believe this is how it works)

Anonymous will always be 1 though.

I agree some assumptions could be made in regards to groups to speed things up and from your examples it looks like you found a few instances that should be fixed.

Thanks for the forum post and I have added a issue in github for it.

https://github.com/Geeklog-Core/geeklog/issues/1082
One of the Geeklog Core Developers.
 Quote

All times are EDT. The time is now 05:15 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content