Plugin Key Permissions

[dd764ta]

Hi everyone

I have a question about the permissions on plugin keys. Is there any way to have permissions based on the user that created the key?

For example, when attaching data to a Thread Key, I want only that user that created that thread and staff to be able to modify that key. All other members should be able to see it, but not modify it.

I know that there is weak client side validation that can be used such as hiding the UI that modifies the data in the key, but that does not really stop someone from pressing F12 and setting the key from their browser's javascript console. What would be optimal is if that kind of attempt would result in the same error message as when the wrong user attempts to modify a private user key of another member.

Any suggestions?

[Lynx]

A Thread Key will have its data accessible whenever the thread it contains data for is on the current page. As far as I know, there is no "selective write" except from the Key Permissions found in your builder's UI tab.

[Todge]

Lynx is correct.

The only way you'd be able to have that kind of selectivity is to write it into the plugin's code. For example, when the thread is created, the creator's member ID is written to the thread key, then use that as a check when the key is being written to in the future.

[dd764ta]

Thanks for the answers MSG and Todge

Unfortunately writing that selectivity into the plugin's code cannot stop someone with mal-intent from clearing or manipulating it with one easy line of js in their browser's console though. I was hoping for some more secure way that could be validated on the server side when setting the value of the plugin key.

[Todge]

There's not much you can do unfortunately..

You could use localStorage as a backup, the code could then check one against the other and if they don't match, rewrite it, but to be honest, few normal members have the know-how to use the browser console to re-write the key, and I doubt that those that do would bother.

[P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓]

You shouldnt need anything that secure or you might as Well scratch the idea of total security and go to php on your own server lol

[dd764ta]

Thanks for the info about local storage Todge. While I know it is uncommon, I would not want to start a new custom section of the forum built upon a plugin that was so vulnerable. Unlikely that someone would abuse it? Maybe, depending upon the forum visitors. But one bad apple that knows how to google could ruin it for everyone and there is no recovery and the proboards security log won't even show who did it.

P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓, I don't think that it is much to ask that a plugin key on a post honors the user that posted it as the owner. I'm not trying to make a secure credit card processor out of a forum plugin or anything, but this lack of security would make me feel uncomfortable with anything that my members are trusting my forum to keep safe. Would you feel safe hosting a forum where the edit post feature had no server side validation? Also if I were running my own server I wouldn't be on this forum asking about this.

I am now looking at other options like Parse.JS to store the actual data. If it is allowed with proboards rules, it may be viable. The proboards private user key may be able to bridge a user to an external data store that can maintain some level of security while making it publicly viewable without publicly editable to all.

[P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓]

Aug 17, 2015 17:05:46 GMT -8 dd764ta said:

Thanks for the info about local storage Todge. While I know it is uncommon, I would not want to start a new custom section of the forum built upon a plugin that was so vulnerable. Unlikely that someone would abuse it? Maybe, depending upon the forum visitors. But one bad apple that knows how to google could ruin it for everyone and there is no recovery and the proboards security log won't even show who did it.

P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓, I don't think that it is much to ask that a plugin key on a post honors the user that posted it as the owner. I'm not trying to make a secure credit card processor out of a forum plugin or anything, but this lack of security would make me feel uncomfortable with anything that my members are trusting my forum to keep safe. Would you feel safe hosting a forum where the edit post feature had no server side validation? Also if I were running my own server I wouldn't be on this forum asking about this.

I am now looking at other options like Parse.JS to store the actual data. If it is allowed with proboards rules, it may be viable. The proboards private user key may be able to bridge a user to an external data store that can maintain some level of security while making it publicly viewable without publicly editable to all.

external files that a plugin uses must be loaded asynchronously

[Quozzo]

Aug 17, 2015 17:05:46 GMT -8 dd764ta said:

P̌̓aͧś̀t̀u͒le͆o͂2̀3̃̓, I don't think that it is much to ask that a plugin key on a post honors the user that posted it as the owner. I'm not trying to make a secure credit card processor out of a forum plugin or anything, but this lack of security would make me feel uncomfortable with anything that my members are trusting my forum to keep safe. Would you feel safe hosting a forum where the edit post feature had no server side validation? Also if I were running my own server I wouldn't be on this forum asking about this.

It is possible. The plugin interface has a Key Permission form field which restricts access to the keys read and/or write access. It can allow everyone to read the key and only the post creator to edit the key, not even admins unless specified in the plugin's Key Permissions.