Admin-Only HTML Posting

mbressman · Post by **mbressman** » Sat Jan 10, 2004 9:50 pm

Hi,

I wanted to be able to allow administrators to use HTML in their posts if they wanted, but no one else (since its my understanding that allowing HTML can be a greater security risk than not allowing HTML). To that end, I've made the following changes on my board and was wondering if someone could check them for me to see if I'm screwing anything else up or if this should work the way I want it to work (also please see below after the changes for three additional notes regarding these changes):

Please Note: This mod was developed for phpBB 2.0.4

Code: Select all

# 
#-----[ OPEN ]------------------------------------------ 
# 
posting.php

# 
#-----[ FIND ]------------------------------------------ 
# 
if ( !$board_config['allow_html'] )
{
	$html_on = 0;
}
else
{
	$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : ( ( $userdata['user_id'] == ANONYMOUS ) ? $board_config['allow_html'] : $userdata['user_allowhtml'] );
}

# 
#-----[ REPLACE WITH ]------------------------------------------ 
# 
if ( !$board_config['allow_html'] )
{
	$html_on = 0;
}
else
{
	if ($userdata['user_level'] == ADMIN) {
		$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : ( ( $userdata['user_id'] == ANONYMOUS ) ? $board_config['allow_html'] : $userdata['user_allowhtml'] );
	}
	else
	{
		$html_on = 0;
	}
}

# 
#-----[ FIND ]------------------------------------------ 
# 
if ( $board_config['allow_html'] )

# 
#-----[ REPLACE WITH ]------------------------------------------ 
# 
if ( $board_config['allow_html'] && $userdata['user_level'] == ADMIN)

# 
#-----[ OPEN ]------------------------------------------ 
# 
privmsg.php

# 
#-----[ FIND ]------------------------------------------ 
# 
	if ( !$board_config['allow_html'] )
	{
		$html_on = 0;
	}
	else
	{
		$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : $userdata['user_allowhtml'];
	}

# 
#-----[ REPLACE WITH ]------------------------------------------ 
# 
	if ( !$board_config['allow_html'] )
	{
		$html_on = 0;
	}
	else
	{
		if ($userdata['user_level'] == ADMIN) {
			$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : $userdata['user_allowhtml'];
		}
		else
		{
			$html_on = 0;
		}
	}

# 
#-----[ FIND ]------------------------------------------ 
# 
	if ( $board_config['allow_html'] )

# 
#-----[ REPLACE WITH ]------------------------------------------ 
# 
	if ( $board_config['allow_html'] && $userdata['user_level'] == ADMIN)

# 
#-----[ OPEN ]------------------------------------------ 
# 
templates/subSilver/profile_add_body.tpl

# 
#-----[ FIND ]------------------------------------------ 
# 
<tr> 
	  <td class="row1"><span class="gen">{L_ALWAYS_ALLOW_HTML}:</span></td>
	  <td class="row2"> 
		<input type="radio" name="allowhtml" value="1" {ALWAYS_ALLOW_HTML_YES} />
		<span class="gen">{L_YES}</span>&nbsp;&nbsp; 
		<input type="radio" name="allowhtml" value="0" {ALWAYS_ALLOW_HTML_NO} />
		<span class="gen">{L_NO}</span></td>
	</tr>

# 
#-----[ REPLACE WITH ]------------------------------------------ 
# 
<!--	<tr> 
	  <td class="row1"><span class="gen">{L_ALWAYS_ALLOW_HTML}:</span></td>
	  <td class="row2"> 
		<input type="radio" name="allowhtml" value="1" {ALWAYS_ALLOW_HTML_YES} />
		<span class="gen">{L_YES}</span>&nbsp;&nbsp; 
		<input type="radio" name="allowhtml" value="0" {ALWAYS_ALLOW_HTML_NO} />
		<span class="gen">{L_NO}</span></td>
	</tr>-->

# 
#-----[ SAVE & CLOSE ALL FILES ]-------------------------- 
# 
# 
#-----[ ADMINISTRATOR CONTROL PANEL ]------------------- 
#
you will need to go into the Administrator Control Panel and go to General Admin: Configuration and under User and Forum Basic Settings change Allow HTML from No to Yes

# 
#-----[ SQL ]------------------------------------------ 
# 
ALTER TABLE `phpbb_users` CHANGE `user_allowhtml` `user_allowhtml` TINYINT( 1 ) DEFAULT '0' 

(this will change the default value for the user_allowhtml field in the phpbb_users table from 1 to 0)

(you will also need to change the current values for all users (except admins) in this field from 1 to 0)

# 
#End

As far as I can tell, these coding changes allow only admins to post HTML in private messages and regular posts while completely removing HTML abilities for regular users. However, two things I've noticed:

1) New users registering still are having the user_allowhtml field in phpbb_users table set to 1 even though I changed the default to 0 (I'm guessing something in the php programming is overriding the default mysql setting...?
2) Even with these new users having the user_allowhtml field in the phpbb_users table set to 1 instead of 0, they still don't seem to be able to post HTML in private messages or regular posts...
3) It seems that when an admin has the user_allowhtml field value in the phpbb_users table changed from 1 to 0, they are still able to post HTML in regular posts and private messages, but the default is that the Disable HTML in this message is checked for their posts (whereas it doesn't appear for regular users post because they are totally unable to post HTML)...leading me to believe that it doesn't really matter whether user_allowhtml is set to 1 or 0 and some of my instructions above might me extraneous...

Any help regarding this or confirmation that it works and doesn't screw anything else up, or advice is greatly appreciated!! Thanks!

AsAf92 · Post by **AsAf92** » Sun Jan 11, 2004 1:26 pm

that's because the defualt never minds, cause the query at register page for some reason.
so look for the query, and edit it, so in the row that the registration adds, user_allowhtml field will be 0.
hope that i helped.

mbressman · Post by **mbressman** » Sun Jan 11, 2004 11:15 pm

AsAf92 wrote: that's because the defualt never minds, cause the query at register page for some reason.
so look for the query, and edit it, so in the row that the registration adds, user_allowhtml field will be 0.
hope that i helped.

I kinda guessed it was something in the includes/usercp_register.php file, but from what I can tell, it really doesn't matter whether the user_allowhtml field in the phpbb_users table is set to 1 or 0, as either way they are not able to post HTML given the other coding modifications I made. Is this correct? Also, if this is the case, then commenting out the code in the templates/subSilver/profile_add_body.tpl and making the SQL changed I outlined is probably not necessary...

Can anyone confirm this? Thanks!

mbressman · Post by **mbressman** » Mon Jan 12, 2004 7:20 am

OK...I decided that the mod the way I initially designed it was way to restrictive. Basically, it would never allow anyone but admin's to post HTML, and that probably isn't a good thing. So, I've added some stuff to it so that now, when HTML is turned on, you can specify in the ACP whether only admin's should be able to post HTML in private messages and regular posts, or whether all users (including anonymous) should be allowed to post HTML in private messages and regular HTML. Here's the code to make these changes:

REQUIREMENTS: must first make code changes that I listed above/initially

Code: Select all

# 
#-----[ OPEN ]------------------------------------------ 
# 
posting.php

# 
#-----[ FIND ]------------------------------------------ 
#
if ( !$board_config['allow_html'] ) 
{ 
   $html_on = 0; 
} 
else 
{ 
   if ($userdata['user_level'] == ADMIN) { 
      $html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : ( ( $userdata['user_id'] == ANONYMOUS ) ? $board_config['allow_html'] : $userdata['user_allowhtml'] ); 
   } 
   else 
   { 
      $html_on = 0; 
   } 
} 

# 
#-----[ REPLACE WITH ]------------------------------------------ 
#
if ( !$board_config['allow_html'] )
{
	$html_on = 0;
}
else
{
	if ($board_config['html_admin_only'] ) 
	{
		if ($userdata['user_level'] == ADMIN) 
		{
			$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : ( ( $userdata['user_id'] == ANONYMOUS ) ? $board_config['allow_html'] : $userdata['user_allowhtml'] );
		}
		else
		{
			$html_on = 0;
		}		
	}
	else
	{
		$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : ( ( $userdata['user_id'] == ANONYMOUS ) ? $board_config['allow_html'] : $userdata['user_allowhtml'] );
	}
}

# 
#-----[ FIND ]------------------------------------------ 
# 
if ( $board_config['allow_html'] && $userdata['user_level'] == ADMIN)
{
	$html_status = $lang['HTML_is_ON'];
	$template->assign_block_vars('switch_html_checkbox', array());
}
else
{
	$html_status = $lang['HTML_is_OFF'];
}

# 
#-----[ REPLACE WITH ]------------------------------------------ 
#
if ( $board_config['allow_html'] )
{
	if ( $board_config['html_admin_only'] )
	{
		if ($userdata['user_level'] == ADMIN) 
		{
			$html_status = $lang['HTML_is_ON'];
			$template->assign_block_vars('switch_html_checkbox', array());
		}
		else
		{
			$html_status = $lang['HTML_is_OFF'];
		}
	}
	else
	{
		$html_status = $lang['HTML_is_ON'];
		$template->assign_block_vars('switch_html_checkbox', array());	
	}
}
else
{
	$html_status = $lang['HTML_is_OFF'];
}

# 
#-----[ OPEN ]------------------------------------------ 
# 
privmsg.php

# 
#-----[ FIND ]------------------------------------------ 
# 
	if ( !$board_config['allow_html'] )
	{
		$html_on = 0;
	}
	else
	{
		if ($userdata['user_level'] == ADMIN) {
			$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : $userdata['user_allowhtml'];
		}
		else
		{
			$html_on = 0;
		}
	}

# 
#-----[ REPLACE WITH ]------------------------------------------ 
#
	if ( !$board_config['allow_html'] )
	{
		$html_on = 0;
	}
	else
	{
		if ($board_config['html_admin_only'] ) 
		{
			if ($userdata['user_level'] == ADMIN) 
			{
				$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : $userdata['user_allowhtml'];
			}
			else
			{
				$html_on = 0;
			}		
		}
		else
		{
			$html_on = ( $submit || $refresh ) ? ( ( !empty($HTTP_POST_VARS['disable_html']) ) ? 0 : TRUE ) : $userdata['user_allowhtml'];
		}
	}

# 
#-----[ FIND ]------------------------------------------ 
# 
	if ( $board_config['allow_html'] && $userdata['user_level'] == ADMIN)
	{
		$html_status = $lang['HTML_is_ON'];
		$template->assign_block_vars('switch_html_checkbox', array());
	}
	else
	{
		$html_status = $lang['HTML_is_OFF'];
	}

# 
#-----[ REPLACE WITH ]------------------------------------------ 
#
	if ( $board_config['allow_html'] )
	{
		if ( $board_config['html_admin_only'] )
		{
			if ($userdata['user_level'] == ADMIN) 
			{
				$html_status = $lang['HTML_is_ON'];
				$template->assign_block_vars('switch_html_checkbox', array());
			}
			else
			{
				$html_status = $lang['HTML_is_OFF'];
			}
		}
		else
		{
			$html_status = $lang['HTML_is_ON'];
			$template->assign_block_vars('switch_html_checkbox', array());	
		}
	}
	else
	{
		$html_status = $lang['HTML_is_OFF'];
	}

# 
#-----[ OPEN ]------------------------------------------ 
# 
templates/subSilver/profile_add_body.tpl 

# 
#-----[ FIND ]------------------------------------------ 
# 
<!--	<tr> 
	  <td class="row1"><span class="gen">{L_ALWAYS_ALLOW_HTML}:</span></td>
	  <td class="row2"> 
		<input type="radio" name="allowhtml" value="1" {ALWAYS_ALLOW_HTML_YES} />
		<span class="gen">{L_YES}</span>&nbsp;&nbsp; 
		<input type="radio" name="allowhtml" value="0" {ALWAYS_ALLOW_HTML_NO} />
		<span class="gen">{L_NO}</span></td>
	</tr>-->

# 
#-----[ REPLACE WITH ]------------------------------------------ 
# 
	<tr> 
	  <td class="row1"><span class="gen">{L_ALWAYS_ALLOW_HTML}:</span></td>
	  <td class="row2"> 
		<input type="radio" name="allowhtml" value="1" {ALWAYS_ALLOW_HTML_YES} />
		<span class="gen">{L_YES}</span>&nbsp;&nbsp; 
		<input type="radio" name="allowhtml" value="0" {ALWAYS_ALLOW_HTML_NO} />
		<span class="gen">{L_NO}</span></td>
	</tr>

# 
#-----[ OPEN ]------------------------------------------ 
# 
admin/admin_board.php

# 
#-----[ FIND ]------------------------------------------ 
# 
$html_no = ( !$new['allow_html'] ) ? "checked=\"checked\"" : "";

# 
#-----[ AFTER ADD ]------------------------------------------ 
#

$html_admin_only_yes = ( $new['html_admin_only'] ) ? "checked=\"checked\"" : "";
$html_admin_only_no = ( !$new['html_admin_only'] ) ? "checked=\"checked\"" : "";

# 
#-----[ FIND ]------------------------------------------ 
# 
	"L_ALLOW_HTML" => $lang['Allow_HTML'],

# 
#-----[ AFTER ADD ]------------------------------------------ 
#
	"L_HTML_ADMIN_ONLY" => $lang['html_admin_only'],
	"L_HTML_ADMIN_ONLY_EXPLAIN" => $lang['html_admin_only_explain'],

# 
#-----[ FIND ]------------------------------------------ 
# 
	"HTML_NO" => $html_no,

# 
#-----[ AFTER ADD ]------------------------------------------ 
#
	"S_HTML_ADMIN_ONLY_YES" => $html_admin_only_yes, 
	"S_HTML_ADMIN_ONLY_NO" => $html_admin_only_no,

# 
#-----[ OPEN ]------------------------------------------ 
# 
language/lang_english/lang_main.php 

# 
#-----[ FIND ]------------------------------------------ 
# 
$lang['Allow_HTML'] = 'Allow HTML';

# 
#-----[ AFTER ADD ]------------------------------------------ 
#
$lang['html_admin_only'] = 'Allow HTML Posting for Administrators Only';
$lang['html_admin_only_explain'] = 'This allows only Administrators of the board to make posts containing HTML, while other users (including anonymous users) still cannot post using HTML (but can read posts containing HTML with the HTML formatting intact) - requires HTML to be turned on board-wide';

# 
#-----[ OPEN ]------------------------------------------ 
# 
templates/subSilver/admin/board_config_body.tpl 

# 
#-----[ FIND ]------------------------------------------ 
# 
	<tr>
		<td class="row1">{L_ALLOW_HTML}</td>
		<td class="row2"><input type="radio" name="allow_html" value="1" {HTML_YES} /> {L_YES}&nbsp;&nbsp;<input type="radio" name="allow_html" value="0" {HTML_NO} /> {L_NO}</td>
	</tr>

# 
#-----[ AFTER ADD ]------------------------------------------ 
# 
	<tr> 
         <td class="row1">{L_HTML_ADMIN_ONLY}<br /><span class="gensmall">{L_HTML_ADMIN_ONLY_EXPLAIN}</span></td>
         <td class="row2"><input type="radio" class="checkbox" name="html_admin_only" value="1" {S_HTML_ADMIN_ONLY_YES} /> {L_YES}  <input type="radio" class="checkbox" name="html_admin_only" value="0" {S_HTML_ADMIN_ONLY_NO} /> {L_NO}</td>
    </tr>

# 
#-----[ SAVE & CLOSE ALL FILES ]-------------------------- 
# 
#-----[ SQL ]------------------------------------------ 
# 
INSERT INTO phpbb_config (config_name, config_value) VALUES ('html_admin_only ', '1'); 
# 
#End

If HTML was previously on board-wide, after these changes it will only be on for Administrators. If you still want it to be on for everyone else, simply change the 1 to a 0 in the SQL command.

Well, I think overall this is a nice mod! I'd welcome testing...and I think once I combine this with the previous code and polish it up so that it reads correctly, it will be a good mod!

This mod is only developed for 2.0.4 (since thats the board I'm currently running)...can I still submit it for official approval by phpBB?? If so, how? Thanks!!

netjet · Post by **netjet** » Fri Feb 06, 2004 3:29 pm

is working for phpbb 2.0.6 ?

thanks

mbressman · Post by **mbressman** » Fri Feb 06, 2004 3:34 pm

Sorry....I have no idea if it works for 2.0.6 since I'm not sure what was changed between 2.0.4 and 2.0.6 - you can try it and I'd be interested to know if it does work on 2.0.6

palmsun · Post by **palmsun** » Wed Mar 10, 2004 6:05 pm

Hi,

it work at 2.0.6.

I installed the mod and it works smoothly so far.

Great mod - Thanks.

Elad Repooc · Post by **Elad Repooc** » Sun Apr 25, 2004 3:32 pm

works with 2.0.8 as well

very useful MOD, thank u!

mbressman · Post by **mbressman** » Sun Jun 27, 2004 7:49 am

Elad Repooc wrote: works with 2.0.8 as well

very useful MOD, thank u!

No problemo!

I don't really have the time to polish up the code or put it in the correct format for official submission for approval by phpBB, but if anyone has some time and would like to do this for me, I'd be more than happy to share authorship and/or credit for this mod. Just let me know....

youngarmy · Post by **youngarmy** » Wed Oct 05, 2005 10:23 am

Hi,
I found this MOD very useful, there is I guess just one thing you haven't thought about. If html is on board wide in the config, html is still allowed in the signatures of every user.

I just can't find where I have to change that, I hope someone of you guys has an idea.

CU

youngarmy · Post by **youngarmy** » Wed Oct 05, 2005 5:09 pm

If someone knows how to change the defalut value for new registering users to 0 instead of 1. That would help as well.

Thanks

advertisements