Disabling the 'I forgot my password' for certain usergroups

Darthmat · Post by **Darthmat** » Sun Jul 20, 2008 12:03 pm

Is it it possible to do this? This would very good to disable for admins and mods.

MartectX · Post by **MartectX** » Sun Jul 20, 2008 12:24 pm

For mods and admins you may use the IF U_MCP switch in the template files.

But why would it be so helpful?

Darthmat · Post by **Darthmat** » Sun Jul 20, 2008 5:42 pm

A forum I belong to has been hacked that way.

Moar detail?

Jim_UK · Post by **Jim_UK** » Sun Jul 20, 2008 5:56 pm

Darthmat wrote:A forum I belong to has been hacked that way.

Moar detail?

How can that be?
The email would be sent to the email address of the account holder and only they would have access to be able to change that. (if they had not forgotten their password that is

)

Jim

Darthmat · Post by **Darthmat** » Sun Jul 20, 2008 7:51 pm

The email was hacked.

Phil · Post by **Phil** » Sun Jul 20, 2008 8:08 pm

In which case, it's the fault of the user for using an insecure password, and of no fault of the board

Darthmat · Post by **Darthmat** » Sun Jul 20, 2008 8:15 pm

No, it wasn't. I would just like to know how to disable the option for admins and mods, because email hacking is not that hard.

Techie-Micheal · Post by **Techie-Micheal** » Mon Jul 21, 2008 12:04 am

Darthmat wrote:No, it wasn't. I would just like to know how to disable the option for admins and mods, because email hacking is not that hard.

I've never had any of my email accounts cracked. Like was said, stronger passwords. And if the user uses the same password for email as they do your site and other sites, then the strongest password in the world won't keep them from getting owned. And the word is "more" not "moar."

Darthmat · Post by **Darthmat** » Mon Jul 21, 2008 1:25 am

I little chat speak never hurt anyone.

But I would still like to know how to do this, whether it be phpBB's fault or not.

Techie-Micheal · Post by **Techie-Micheal** » Mon Jul 21, 2008 1:28 am

Darthmat wrote:I little chat speak never hurt anyone.

Actually it did.

But that's just a pet peeve of mine, don't mind me.

But I would still like to know how to do this, whether it be phpBB's fault or not.

Thinking about it, I don't think it'd be too difficult, but you'll need a MOD for it. Without looking at the code, I think all you'll have to do is set an auth for groups of your choosing and check that auth in the forgot password.

MartectX · Post by **MartectX** » Mon Jul 21, 2008 2:01 am

I'd try and tamper with ucp.php's "sendpassword": check the provided username if it's a mod or admin and (if yes) stop the processing.

Jim_UK · Post by **Jim_UK** » Mon Jul 21, 2008 7:21 pm

Maybe by making the link absent for Admins and Mods.
Look at how the Admin link at the bottom of the page is only viewable by Admins.

Jim

ben2309 · Post by **ben2309** » Mon Jul 21, 2008 7:25 pm

Code: Select all

<!-- IF not U_MCP or not U_ACP -->
//show the link
<!-- ENDIF -->

I believe would work.

Eelke · Post by **Eelke** » Mon Jul 21, 2008 8:35 pm

Not displaying the link doesn't stop the functionality being used. It may daunt some of the least bright minds among the hackers out there, but not much else

Techie-Micheal · Post by **Techie-Micheal** » Mon Jul 21, 2008 8:58 pm

MartectX wrote:I'd try and tamper with ucp.php's "sendpassword": check the provided username if it's a mod or admin and (if yes) stop the processing.

That would work in phpBB2, but not 3 because of the way phpBB3 handles permissions. That's why I suggested the extra auth, as it would use the permission masks.

advertisements