Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/O Code)
 Using mlev3 as different member level		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

rasure
Junior Member

289 Posts
Posted - 20 August 2004 :  03:06:39  Show Profile  Visit rasure's Homepage
What I've done is changed the moderator level to a Gold Member (mlev3) as I don't use moderator on my forums. This gives the gold members access to avatars, photo gallery, bio, extra post buttons many other features from basic members after they had paid a subscription fee.

I have managed to prevent Gold Members (mlev3) from having any moderator functions such as edit forum, lock, unlock forum, delete forum etc the only thing I haven't been able to do as yet find the solution from preventing mvel3 is from typing in the url eg:...

post.asp?method=EditTopic&TOPIC_ID=2670&FORUM_ID=1&auth=2001

and editing a post by posted by anyone, I know its in post.asp somewhere could anyone point me in the right direction of where to look and how to change it so they cant do that without affecting editing their own topics, thanks in advance.
Psychic & Spiritual Development Resources
Edited by - rasure on 20 August 2004 22:51:11

Jezmeister
Senior Member

United Kingdom
1141 Posts
Posted - 20 August 2004 :  08:19:51  Show Profile  Visit Jezmeister's Homepage
are you just wanting to stop them using any admin/moderator tools? if soyou need to find the following in post.asp (around line 200):
	elseif mLev = 3 then
		if chkForumModerator(strRqForumID, ChkString(strDBNTUserName, "decode")) = "1" then
			AdminAllowed = 1
			ForumChkSkipAllowed = 1

delete that and one of the two following "end if"s

around line 700 in post.asp
if (strRqMethod = "EditTopic") then
	Dim MoveTopicAllowed
	if (mLev = 4) or (mLev = 3 and strMoveTopicMode = "0") or ((mLev = 3) and (strMoveTopicMode = "1") and (strAuthor = MemberID)) then
		MoveTopicAllowed = "1"
	else
		MoveTopicAllowed = "0"
	end if

and change it to look like this:
if (strRqMethod = "EditTopic") then
	Dim MoveTopicAllowed
	if (mLev = 4) then
		MoveTopicAllowed = "1"
	else
		MoveTopicAllowed = "0"
	end if


after that find this:
	if mlev = 3 or mlev = 4 then 
		Response.Write	"                <select name=""Forum"" size=""1"">" & vbNewLine
	end if

and make it
	if mlev = 4 then 
		Response.Write	"                <select name=""Forum"" size=""1"">" & vbNewLine
	end if


and a few lines below that find this:
if mlev = 3 or mlev = 4 then
		if recForumCount <> "" then
			cCAT_NAME = 0
			fCAT_ID = 1
			fFORUM_ID = 2
			fF_SUBJECT = 3
			fF_PRIVATEFORUMS = 4
			fF_PASSWORD_NEW = 5

and change it to this:
	if mlev = 4 then
		if recForumCount <> "" then
			cCAT_NAME = 0
			fCAT_ID = 1
			fFORUM_ID = 2
			fF_SUBJECT = 3
			fF_PRIVATEFORUMS = 4
			fF_PASSWORD_NEW = 5

and below that find this:
	if mlev = 3 or mlev = 4 then 
	        Response.Write 	"                </select>" & vbNewline
	end if

change that to this:
	if mlev = 4 then 
	        Response.Write 	"                </select>" & vbNewline
	end if

find the following and delete the code in red:
strRqMethod = "EditForum" then 
	if strPrivateForums <> "0" then
		if mLev = 3 then
			Response.Write	" onclick=""selectAllOptions(document.PostTopic.AuthUsers);"""
		else
			Response.Write	" onclick=""selectAllOptions(document.PostTopic.AuthUsers);selectAllOptions(document.PostTopic.ForumMod);"""
		end if
	else


that should do it, save you current one seperately first tho cos i havent tested it
Edited by - Jezmeister on 20 August 2004 08:31:26
Go to Top of Page

rasure
Junior Member

289 Posts
Posted - 20 August 2004 :  17:14:06  Show Profile  Visit rasure's Homepage
Hi Jezmeister thank you so much for your help
I made the changes but it still allowed mlev3 to
edit post by typing in url
post.asp?method=EditTopic&TOPIC_ID=2670&FORUM_ID=1&auth=2001

I've included a copy of my post.asp as it now
(no changes made as described above) if you could have
a look at it for me I would be very grateful.

http://www.spiritjourney.wanadoo.co.uk/post.txt
Psychic & Spiritual Development Resources
Edited by - rasure on 20 August 2004 17:15:15
Go to Top of Page

DavidRhodes
Senior Member

United Kingdom
1222 Posts
Posted - 20 August 2004 :  18:43:21  Show Profile
quote:
Originally posted by rasure

What I've done is changed the administrator level to a Gold Member (mlev3) as I don't use administrators on my forums.


Admin is mlev 4, Moderator is mlev 3, just incase you'd got it wrong
The UK MkIVs Forum
Go to Top of Page

Jezmeister
Senior Member

United Kingdom
1141 Posts
Posted - 20 August 2004 :  18:58:41  Show Profile  Visit Jezmeister's Homepage
isnt mlev 3 admin and mlev 4 super admin and mlev 2 moderator?
Go to Top of Page

rasure
Junior Member

289 Posts
Posted - 20 August 2004 :  22:48:59  Show Profile  Visit rasure's Homepage
quote:
Originally posted by DavidRhodes

quote:
Originally posted by rasure

What I've done is changed the administrator level to a Gold Member (mlev3) as I don't use administrators on my forums.

Admin is mlev 4, Moderator is mlev 3, just incase you'd got it wrong

oops yes I meant Moderator, i`ve edited above post, sorry about that.
quote:
Originally posted by Jezmeister

isnt mlev 3 admin and mlev 4 super admin and mlev 2 moderator?
I'm pretty sure mlev 3 is moderator and mlev 4 is admin, I think super admin is specified in config.asp as Const intAdminMemberID =1 (or whatever member ID you want as super admin)

I know when I log into a test account set up as a Gold Member (mlev 3) no admin options are available, the only problem im having is the one mentioned in my original post.
Psychic & Spiritual Development Resources
Edited by - rasure on 20 August 2004 22:55:19
Go to Top of Page

Jezmeister
Senior Member

United Kingdom
1141 Posts
Posted - 21 August 2004 :  17:34:52  Show Profile  Visit Jezmeister's Homepage
o, ok. well the changes i posted above should stop them accessing it like that. i guess you could try adding this:
if (mLev <> 4) then
Response.Redirect("default.asp")
else

at the beginning of the edit code then
end if

at the end of the edit code as a temporary fix
Go to Top of Page

rasure
Junior Member

289 Posts
Posted - 06 September 2004 :  18:19:11  Show Profile  Visit rasure's Homepage
sorry Jezmeister for the late reply, been busy.
The code does actually work when going to post the edited reply,
although it still lets go to the actual edit page itself take
this random example is there anyway to stop this?
as it also does it with admin posts too.

I know its not really security risk as you get the warning
message "Only an Admin, a Moderator or the A
uthor can change this post",
but surely its better not to let people get to the edit page by
typing in the url in the first place?
Psychic & Spiritual Development Resources
Edited by - rasure on 06 September 2004 18:21:26
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts
Posted - 06 September 2004 :  19:09:53  Show Profile  Visit HuwR's Homepage
quote:
Originally posted by rasure
I know its not really security risk as you get the warning
message "Only an Admin, a Moderator or the A
uthor can change this post",
but surely its better not to let people get to the edit page by
typing in the url in the first place?


If you think about this logically, how could your prevent them from accessing the page?

Since they typed it directly in the browser all you can do is load it and then do a check.
Go to Top of Page

cripto9t
Average Member

USA
881 Posts
Posted - 07 September 2004 :  09:31:30  Show Profile
rasure, I just put this together and just done the obvious checks, it may cause problems elsewhere.

When editing a topic or reply, it first checks to see if you are logged in. If not a warning message is displayed then redirect to default.asp.
If you are logged in, it checks to see if you are an admin. If not, it checks to see if you are the author. If not, you get a warning message and redirect.

In post.asp find this code around line 291
select case strSelectSize
	case "1"
		intCols = 45
		intRows = 11
	case "2"
		intCols = 70
		intRows = 12
	case "3"
		intCols = 90
		intRows = 12
	case "4"
		intCols = 130
		intRows = 15
	case else
		intCols = 70
		intRows = 12
end select

Right ABOVE that add this code
if strRqMethod = "Edit" or _
strRqMethod = "EditTopic" then
        if strDBNTUserName = "" then
                if strRqMethod = "Edit" then
                        Go_Result "You must be logged in to edit a reply."
                else
                        Go_Result "You must be logged in to edit a topic."
                end if
        else
                if mlev < 4 then
                        if strRqMethod = "Edit" then
                                '## check for author of reply
	                        set rsACheck = my_Conn.Execute ("SELECT R_AUTHOR FROM " & strTablePrefix & "REPLY WHERE REPLY_ID = " & strRqReplyID & " AND R_AUTHOR = " & memberID)
	                        if rsACheck.EOF or rsACheck.BOF then
	                                rsACheck.Close
        	                        set rsACheck = nothing
        	                        Go_Result "Please don't attempt to edit the URL<br />to edit this reply."
	                        end if
	                        set rsACheck = nothing
                        else
	                        set rsACheck = my_Conn.Execute ("SELECT T_AUTHOR FROM " & strActivePrefix & "TOPICS WHERE TOPIC_ID = " & strRqTopicID & " AND T_AUTHOR = " & memberID)
	                        if rsACheck.EOF or rsACheck.BOF then
	                                rsACheck.Close
        	                        set rsACheck = nothing
        	                        Go_Result "Please don't attempt to edit the URL<br />to edit this topic."
	                         end if
	                         set rsACheck = nothing
                        end if
                end if
        end if
end if


Hope this helps
    _-/Cripto9t\-_
Edited by - cripto9t on 07 September 2004 09:44:52
Go to Top of Page

cripto9t
Average Member

USA
881 Posts
Posted - 07 September 2004 :  10:19:07  Show Profile
Same as above with a little less code
if strRqMethod = "Edit" or _
strRqMethod = "EditTopic" then
        if strRqMethod = "Edit" then
                postType = "reply"
                getSql = "SELECT R_AUTHOR FROM " & strTablePrefix & "REPLY WHERE REPLY_ID = " & strRqReplyID & " AND R_AUTHOR = " & memberID
        else
                postType = "topic"
                getSql = "SELECT T_AUTHOR FROM " & strActivePrefix & "TOPICS WHERE TOPIC_ID = " & strRqTopicID & " AND T_AUTHOR = " & memberID
        end if
        if strDBNTUserName = "" then
                Go_Result "You must be logged in to edit a " & postType & "."
        else
                if mlev < 4 then
                        '## check for author
                        set rsACheck = my_Conn.Execute (getSql)
	                if rsACheck.EOF or rsACheck.BOF then
	                        rsACheck.Close
        	                set rsACheck = nothing
        	                Go_Result "Please don't attempt to edit the URL<br />to edit this " & postType & "."
	                end if
	                set rsACheck = nothing
                end if
        end if
end if
    _-/Cripto9t\-_
Go to Top of Page

rasure
Junior Member

289 Posts
Posted - 20 September 2004 :  12:17:30  Show Profile  Visit rasure's Homepage
Sorry only just seen this, thank you so much cripto9t, I used second code and works a treat
Psychic & Spiritual Development Resources
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.28 seconds. Powered By: Snitz Forums 2000 Version 3.4.07