+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: Let's discuss cloaking, backups, and super administrators (/showthread.php?tid=885)
Let's discuss cloaking, backups, and super administrators - mudmin - 12-12-2017
Security and convenience are often at odds with each other and that's the line we often walk when developing something like userspice. How do we give you access to the features you want and protect you from accidentally opening up your system to problems.
Right now there is a variable (array) declared in init.php called $master_account. Why would we use a hard coded variable? To be honest, I want it to be intentionally difficult to give someone this sort of power.
The fact is, you can override this variable in a lot of different ways. Since it's called in init, you can even generate this array in your own header based on permission levels or whatever you want.
Currently this system affects 3 things:
1. The ability to override maintenance mode.
2. The ability to cloak into another user.
3. The ability to manage backups, which includes fully exporting source code and databases.
Thoughts?
Let's discuss cloaking, backups, and super administrators - mudmin - 12-12-2017
There's also a little hotfix to fix the horizontal scrollbar on admin.php compliments of user @muhammedc
https://pastebin.com/F7P2FxPq