The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/printthread.php 16 require_once



UserSpice
Let's discuss cloaking, backups, and super administrators - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: Let's discuss cloaking, backups, and super administrators (/showthread.php?tid=885)



Let's discuss cloaking, backups, and super administrators - mudmin - 12-12-2017

Security and convenience are often at odds with each other and that's the line we often walk when developing something like userspice. How do we give you access to the features you want and protect you from accidentally opening up your system to problems.

Right now there is a variable (array) declared in init.php called $master_account. Why would we use a hard coded variable? To be honest, I want it to be intentionally difficult to give someone this sort of power.

The fact is, you can override this variable in a lot of different ways. Since it's called in init, you can even generate this array in your own header based on permission levels or whatever you want.

Currently this system affects 3 things:
1. The ability to override maintenance mode.
2. The ability to cloak into another user.
3. The ability to manage backups, which includes fully exporting source code and databases.

Thoughts?


Let's discuss cloaking, backups, and super administrators - mudmin - 12-12-2017

There's also a little hotfix to fix the horizontal scrollbar on admin.php compliments of user @muhammedc

https://pastebin.com/F7P2FxPq