Archive for myfreeforum.org Before posting please check the "stickies" in the support forums.
Please ask questions in real English and not "txt". You will get a better response.
Please do not ask support questions via PMs.
 



       myfreeforum.org Forum Index -> PhpBB3 General Support
Zudane

IF or statement

I have a member that just got to become a mod for a games forum... and he played around in the UCP a bit.  I have some fields hidden, but with how phpbb3 is, I can't hide them from admin or mods.

I decided to go in and make only certain fields show.  So I went between the profile_fields tags and threw in this:

Do not use this code!

Code:
<!-- IF profile_fields.LANG_NAME eq "Tag" -->

   <tr>
      <td class="row1" width="35%">
         <b class="genmed">{profile_fields.LANG_NAME}: </b>
         <!-- IF profile_fields.S_REQUIRED --><b>*</b><!-- ENDIF -->
         <!-- IF profile_fields.LANG_EXPLAIN --><br /><span class="gensmall">{profile_fields.LANG_EXPLAIN}</span><!-- ENDIF -->
      </td>
      <td class="row2">{profile_fields.FIELD}<!-- IF profile_fields.ERROR --><br /><span class="gensmall error">{profile_fields.ERROR}</span><!-- ENDIF --></td>
   </tr>
<!-- ENDIF -->


With a new one for each field I want shown.  It works great, but is a bit lengthy.

Since the fields are handled the same, only shown referenced with different names, is there a way I could list all the names in a single IF statement?

I tried
Code:
<!-- IF profile_fields.LANG_NAME eq "Tag" OR "Sex" -->

But I only get an error.

Is there a way to do this, or do I need to stick with a new block for each?
admin (no pm's please)

You can use a singe if:

<!-- IF profile_fields.LANG_NAME eq "Tag" OR  profile_fields.LANG_NAME eq "Sex" -->


But as you say phpbb3 profile fields are awful, there was a post detailing a hack to improve them, and if this is a common hack it may be worth us doing. As you know though there is still a lot going on that weighs against this instantly happening.
Zudane

I think it could be worth it.

Because any karma, cash, country, or any other auto-controlled field (one that the user never needs to touch) can still be edited by ANYONE that has any moderator access on the forum.

As I said, this member is a lone mod (simple mod at that) on a single forum - yet had access to these fields.  I changed it once he edited his Country code (U.S. doesn't load an image properly, ya know)
admin (no pm's please)

I agree there is absolutely no debate about the need, and I really cannot understand how they could have messed it up so badly in the first place.
The only question is on how to proceed? e.g. the likely compatibility of any change we make with any change phpBB3 might make themselves to try and fix things.

Profile fields need a proper set of permission as to who can enter them and seperate to that,  a set of permissions as to who can see them. They also desperately need options for their display so you don't have to edit templates for basic options like image display.

Who would have thought that with phpbb3s obsession with loads of complex permissions at the forums level that just about no one needs, that they would not bother with basic permissions for profile fields? It is not exactly joined up thinking.
Zudane

I think that the big problem... a group of people working together without working together.
Zudane

Well, I just removed this, and edited the first post.

Sounds like a great idea, but makes one major problem... If the fields do not display, then when you click "Save" they revert back to the default.

Noticed this when I edited my profile and my karma disappeared.
Zudane

AHAHHAHAHAHHA

I Took another look at this and it dawned on me what to do!!!

Removing the field means that it is reset to the default value.  So... how can you get it to not show, but not remove it?

Spoiler:

Code:
<!-- BEGIN profile_fields -->

<!-- IF profile_fields.LANG_NAME eq "Gold" -->
   <tr>
   <td class="row1" width="35%">
<div style="display:none;">
         <b class="genmed">{profile_fields.LANG_NAME}: </b>
         <!-- IF profile_fields.S_REQUIRED --><b>*</b><!-- ENDIF -->
         <!-- IF profile_fields.LANG_EXPLAIN --><br /><span class="gensmall">{profile_fields.LANG_EXPLAIN}</span><!-- ENDIF -->
</div>
      </td>
      <td class="row2"><div style="display:none;">
{profile_fields.FIELD}<!-- IF profile_fields.ERROR --><br /><span class="gensmall error">{profile_fields.ERROR}</span><!-- ENDIF --></div></td>
   </tr>
<!-- ENDIF -->

<!-- IF profile_fields.LANG_NAME != "Gold" -->
   <tr>
      <td class="row1" width="35%">


         <b class="genmed">{profile_fields.LANG_NAME}: </b>
         <!-- IF profile_fields.S_REQUIRED --><b>*</b><!-- ENDIF -->
         <!-- IF profile_fields.LANG_EXPLAIN --><br /><span class="gensmall">{profile_fields.LANG_EXPLAIN}</span><!-- ENDIF -->
      </td>
      <td class="row2">{profile_fields.FIELD}<!-- IF profile_fields.ERROR --><br /><span class="gensmall error">{profile_fields.ERROR}</span><!-- ENDIF --></td>
   </tr>
<!-- ENDIF -->
<!-- END profile_fields -->



Basically, put one section for the fields you want, in this case it's the Gold field.  Put Div's around everything inside each of the table data areas, and set the style to display:none.

Then leave the other section for the rest, which is any section not equal to the one you want, in this case every field besides "Gold"
while()

What you NEED to understand is that all of this is simply affecting what is displayed to the user when the stylesheet is used. While this is perfectly acceptable for insecure things and vanity, it is not a viable option for what you're trying to achieve. By setting display:none; you're simply telling the browser not to display it, the field still exists and can quite easily be accessed by that use the easiest way is to simply disable the stylesheet for the webpage, (view > page style > no style) . The only 100% secure method is to have the server side script check that the user has permission to be accessing and using this input form.

For example, if I run a local installation of PHPBB3 I can quite easily find the normal fields I would have access to and then send those variables to the server, so even if you fully delete the HTML for that form, while PHPBB let's me based upon my permission level perform those actions I can still perform them. While the chance of this happening here is slim, do not be under any illusion that this is an acceptable and secure solution to your problem.

admin (no pm's please) wrote:

Who would have thought that with phpbb3s obsession with loads of complex permissions at the forums level that just about no one needs, that they would not bother with basic permissions for profile fields? It is not exactly joined up thinking.


It seems they tried to move away from being a simple forum to being more of a vbulletin "impersonator" and totally missed the basics when doing it. Silly phpbb.
Zudane

If you weren't aware... the phpbb3 permissions systems only have the option of "Display in user control panel", which matters only for non-mod and non-admin accounts.  Admin and mod accounts can see the profile fields no matter what.

So yea, while they CAN still use it, it stops the standard person from seeing it, which means that they aren't editing what they shouldn't be seeing.
while()

Zudane wrote:
If you weren't aware... the phpbb3 permissions systems only have the option of "Display in user control panel", which matters only for non-mod and non-admin accounts.  Admin and mod accounts can see the profile fields no matter what.


That was my point; all you're doing is stopping them from seeing the input fields, the data can still be processed if they send it to the server. Imagine there's a bank vault, it has $100,000 in it and there's a switch behind a panel that opens it. John Doe comes along, he doesn't know that the switch exists so he can't access the money, then Jane Doe comes along and she knows the switch exists, so she flicks the switch and takes the money. This is what you're doing here, you're just hiding the switch. From a programming point of view this is a very bad thing to do, the key is to NEVER trust your users and their input.
admin (no pm's please)

But a forum is not a bank vault and anyone abusing the profile fields can be dealt with.

You have to have a sense of perspective on this. Only one person in 100 would know how to beat Zudanes system, and they would only prove their own stupidity by doing so, after all in programming terms it is a lame easy thing to do, and all you would achieve is Zudane banning you.
while()

admin (no pm's please) wrote:
But a forum is not a bank vault and anyone abusing the profile fields can be dealt with.

You have to have a sense of perspective on this. Only one person in 100 would know how to beat Zudanes system, and they would only prove their own stupidity by doing so, after all in programming terms it is a lame easy thing to do, and all you would achieve is Zudane banning you.


In this case, of course, it's pretty much a worthless thing that nobody would bother with, my point was more that if he does this and it works it'll lead onto more of the same with potentially more important things. It's bad practice and it's very hard to unlearn things, if this method works for things like this what's to say he won't go on and use it for more important things that could potentially cause more problems.
admin (no pm's please)

It is certainly well worth noting that for real applications all form submissions should be treated as a rancid pile of malware  

Everything coming has to be both sanitized and checked for the authority to submit there in the first place.

Probably 25% of the time I spend on any forum add on here is the tedious process of securing the input.
Zudane

And yea, while it is easy to get through... currently only a half dozen people at most could access the fields without this.  This is just stopping my MODERATORS from accessing them.  I can trust them not to, it's just so they don't play with ones they don't know they aren't supposed to.

       myfreeforum.org Forum Index -> PhpBB3 General Support
Page 1 of 1
Create your own free forum | Buy a domain to use with your forum