Disabling the 'I forgot my password' for certain usergroups

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
Darthmat
Registered User
Posts: 114
Joined: Mon Jun 23, 2008 4:08 pm

Disabling the 'I forgot my password' for certain usergroups

Post by Darthmat »

Is it it possible to do this? This would very good to disable for admins and mods.
User avatar
MartectX
Translator
Posts: 1324
Joined: Wed Dec 19, 2007 8:05 pm
Location: Marienplatz

Re: Disabling the 'I forgot my password' for certain usergroups

Post by MartectX »

For mods and admins you may use the IF U_MCP switch in the template files.

But why would it be so helpful?
Darthmat
Registered User
Posts: 114
Joined: Mon Jun 23, 2008 4:08 pm

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Darthmat »

A forum I belong to has been hacked that way.

Moar detail?
User avatar
Jim_UK
Former Team Member
Posts: 18479
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Jim_UK »

Darthmat wrote:A forum I belong to has been hacked that way.

Moar detail?
How can that be?
The email would be sent to the email address of the account holder and only they would have access to be able to change that. (if they had not forgotten their password that is :D )

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!
Darthmat
Registered User
Posts: 114
Joined: Mon Jun 23, 2008 4:08 pm

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Darthmat »

The email was hacked.
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Phil »

In which case, it's the fault of the user for using an insecure password, and of no fault of the board ;)
Moving on, with the wind. | My Corner of the Web
Darthmat
Registered User
Posts: 114
Joined: Mon Jun 23, 2008 4:08 pm

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Darthmat »

No, it wasn't. I would just like to know how to disable the option for admins and mods, because email hacking is not that hard. ;)
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Techie-Micheal »

Darthmat wrote:No, it wasn't. I would just like to know how to disable the option for admins and mods, because email hacking is not that hard. ;)
I've never had any of my email accounts cracked. Like was said, stronger passwords. And if the user uses the same password for email as they do your site and other sites, then the strongest password in the world won't keep them from getting owned. And the word is "more" not "moar." ;)
Proven Offensive Security Expertise. OSCP - GXPN
Darthmat
Registered User
Posts: 114
Joined: Mon Jun 23, 2008 4:08 pm

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Darthmat »

I little chat speak never hurt anyone. ;)

But I would still like to know how to do this, whether it be phpBB's fault or not.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Techie-Micheal »

Darthmat wrote:I little chat speak never hurt anyone. ;)
Actually it did. :P But that's just a pet peeve of mine, don't mind me.
But I would still like to know how to do this, whether it be phpBB's fault or not.
Thinking about it, I don't think it'd be too difficult, but you'll need a MOD for it. Without looking at the code, I think all you'll have to do is set an auth for groups of your choosing and check that auth in the forgot password.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
MartectX
Translator
Posts: 1324
Joined: Wed Dec 19, 2007 8:05 pm
Location: Marienplatz

Re: Disabling the 'I forgot my password' for certain usergroups

Post by MartectX »

I'd try and tamper with ucp.php's "sendpassword": check the provided username if it's a mod or admin and (if yes) stop the processing.
User avatar
Jim_UK
Former Team Member
Posts: 18479
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Jim_UK »

Maybe by making the link absent for Admins and Mods.
Look at how the Admin link at the bottom of the page is only viewable by Admins.

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!
ben2309
Registered User
Posts: 90
Joined: Mon Jul 21, 2008 2:49 pm
Location: Scotland :D

Re: Disabling the 'I forgot my password' for certain usergroups

Post by ben2309 »

Code: Select all

<!-- IF not U_MCP or not U_ACP -->
//show the link
<!-- ENDIF -->
I believe would work.
IF YOU VALUE YOUR PRIVACY, SAY NO TO PHORM.
SIGN THE PETITION, CLICK HERE.


Phorm is adware, and your ISPs want to force it on you. Tell them to go eat their own heads.

http://www.badphorm.co.uk/
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Eelke »

Not displaying the link doesn't stop the functionality being used. It may daunt some of the least bright minds among the hackers out there, but not much else :)
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Disabling the 'I forgot my password' for certain usergroups

Post by Techie-Micheal »

MartectX wrote:I'd try and tamper with ucp.php's "sendpassword": check the provided username if it's a mod or admin and (if yes) stop the processing.
That would work in phpBB2, but not 3 because of the way phpBB3 handles permissions. That's why I suggested the extra auth, as it would use the permission masks.
Proven Offensive Security Expertise. OSCP - GXPN
Post Reply

Return to “phpBB Discussion”