1

Topic: Userlist Access 1.0

##
##
##        Mod title:  Userlist Access
##
##      Mod version:  1.0
##   Works on PunBB:  1.2.10
##     Release date:  2005-11-16
##           Author:  Atis Lezdins (atis@best.eu.org)
##
##      Description:  This mod allows to forbid seeing userlist and profiles
##                    for certain groups.
##
##   Affected files:  userlist.php
##                    profile.php
##                    admin_groups.php
##                    include/functions.php
##
##       Affects DB:  Yes
##
##            Notes:  This mod allows to forbid certaing group to see the
##                    user lists and profiles. As well - the 'user list'
##                    is hidden from main menu if unaccessible
##                    This is my first mod, so i might miss something, but it
##                    works for me right now ;-)
##                    Also there are .diff files included in this package
##                    and you are encouraged to use them instead of step-by-step
##                    changing of files.
##
##       DISCLAIMER:  Please note that "mods" are not officially supported by
##                    PunBB. Installation of this modification is done at your
##                    own risk. Backup your forum database and any and all
##                    applicable files before proceeding.
##
##

Download: http://www.punres.org/download.php?id=482

2

Re: Userlist Access 1.0

works nice.

Re: Userlist Access 1.0

cool big_smile

4

Re: Userlist Access 1.0

I love the mod but there is one issue that I can find. I hope there is a fix for it. I disabled the userlist for Guests.

I logged out of my board and cleared cookies and stuff. The userlist link isn't on my board but if I type in the domain (ie: http://www.domain.com/punbb/userlist.php) then the userlist will come up. I want it disabled for view unless you are logged in.

Re: Userlist Access 1.0

j2k4b wrote:

I logged out of my board and cleared cookies and stuff. The userlist link isn't on my board but if I type in the domain (ie: http://www.domain.com/punbb/userlist.php) then the userlist will come up. I want it disabled for view unless you are logged in.

This is something I've been doing for a while, a manual hack to the functions.php and userlist.php which stops the user list menu item being shown or the userlist.php page being opened when manualy entered in the address bar.

The code looks like this.....

in functions.php to prevent the menu item apearing....

//
// Generate the "navigator" that appears at the top of every page
//
function generate_navlinks()
{
    global $pun_config, $lang_common, $pun_user;

    // Index and Userlist should always be displayed
    $links[] = '<li id="navindex"><a href="index.php">'.$lang_common['Index'].'</a>';
   
    // Confirm the User has authenticated defore displaying menu option.
    if ($pun_user['is_guest'] == '0')

    $links[] = '<li id="navuserlist"><a href="userlist.php">'.$lang_common['User list'].'</a>';

    if ($pun_config['o_rules'] == '1')
        $links[] = '<li id="navrules"><a href="misc.php?action=rules">'.$lang_common['Rules'].'</a>';
.
.
.
etc.

And then in the userlist.php....to prevent a typed url being used....


define('PUN_ROOT', './');
require PUN_ROOT.'include/common.php';

if ($pun_user['g_read_board'] == '0')
    message($lang_common['No view']);

// Verify the user has authenticated and display Permission Error if not.
if ($pun_user['is_guest'] == '1')
    message($lang_common['No permission']);
else
{

// Load the userlist.php language file
require PUN_ROOT.'lang/'.$pun_user['language'].'/userlist.php';

// Load the search.php language file
require PUN_ROOT.'lang/'.$pun_user['language'].'/search.php';
.
.
.
etc.

<?php
}
require PUN_ROOT.'footer.php'



If you want to enter the code i'd suggest searching for some of the surrounding text to get you to the right place first.
It works for me and if anyone has the time to make it into a full blown mod then got for it....

6 (edited by Smartys 2006-01-24 00:38)

Re: Userlist Access 1.0

err, is_guest returns true/false tongue
Your code would work, since you're not using ===, but why not just stick with if ($pun_user['is_guest']) and if (!$pun_user['is_guest'])

Re: Userlist Access 1.0

As long as the result is "True" (the user is a guest) then you can do it anyway you like. There's more than one way to skin a cat...

Forgive the long winded way of doing it, I am a complete PHP novice, I found a way to do what I wanted and stuck with it.
It all came about from a forum I visit where I wasn't to keen on the ability for all and sundry to see the registered users (it was a security forum after all). So I had a poke around and came up with this fix, I tested running on my PC, informed the forum admin that it works and he's still yet to implement. Perhaps he doesn't think it matters that much...he's hoping it'll apear in a future release so that he doesn't have to keep patching after an update.

There's always a better way and if I keep reading and posting on here, you never know I may learn something...

Thanks for the input.

SWF

8

Re: Userlist Access 1.0

j2k4b wrote:

I love the mod but there is one issue that I can find. I hope there is a fix for it. I disabled the userlist for Guests.

I logged out of my board and cleared cookies and stuff. The userlist link isn't on my board but if I type in the domain (ie: http://www.domain.com/punbb/userlist.php) then the userlist will come up. I want it disabled for view unless you are logged in.

This is supposed to be done by this mod.

I suppose, you already disabled userlist access for guest group:

Administration -> User Groups -> Edit Guest -> View user list = No

You could check the following:

In userlist.php, line 30 should be

if ($pun_user['g_read_board'] == '0' || $pun_user['g_view_users'] == '0')

9 (edited by twohawks 2006-09-22 08:33)

Re: Userlist Access 1.0

I have applied this mod for our forum and it appears to be working fine, except for two things...
Now, we are using build 1.2.12, which technically this does not support.  I went ahead and edited install_mod.php to include the version and then updated the dtabase, no prob.

Then I went ahead and began editing the files per the read me.

This was okay up until in steps 19, 20, and 21 where it askes you to edit line 36 in profile.php, because in this version of punbb the lines have already been edited to something else (and I am unsure how to figure out what to do without sitting down and studying it, ...something not for tonite!)

Sooo...  so I went ahead and tested it without that last edit, and everything seems to work great..., excepting that if the guest goes into a post they do see the Poster's ident as a clickable link ...which just so happens to let them into to view that individual's profile  ;^(     
Bummer. 

So I am wondering if I need to figure out that last code edit in "profile.php", ..if that is the 'trick' to the last access point?  Seems it would be.  Maybe I can figure it out tomorrow.  If someone here sees this and figures out the correct edit for that sooner (and I am not guaranteeing I can do it tomorrow, if ever LOL...) sure would apreciate it. 

Really Nice Mod otherwise, atis.  ty
Cheers,
TwoHawks

Edited Later:  Just to let you kow, I did edit the entry by adding the line
       if ($pun_user['g_read_board'] != '0') $permitted = 1;
else if ($pun_user['g_view_users'] != '0') $permitted = 1;              <<<this one added here
else if ($action == 'change_pass' && isset($_GET['key'])) $permitted = 1;
else if ($action == 'activate_account' && isset($_GET['key'])) $permitted = 1;
else $permitted = 0;

...and I really think this ought to work... don't understand why it doesn't??  Guest user still accesses the user's profile instead of the 'alternate message'.  What am I missing?

TwoHawks
Love is the Function
No Form is the Tool

10

Re: Userlist Access 1.0

well, seems that 

if ($pun_user['g_read_board'] != '0') $permitted = 1;

is executed before, so you need to combine it with

$pun_user['g_view_users'] != '0'

also there is part
  $pun_user['id'] != $id
it means - you can view your own profile, but not others. I don't know how to get this in new version, so just experiment a bit, could be the same.

So as i understand, in new version by default it is not permitted to view, so it could be something like this

if ($pun_user['g_read_board'] != '0' && ($pun_user['g_view_users'] != '0' || $pun_user['id'] == $id)) $permitted = 1;


If it works, could you please modify the notes, and post them here, as i dont have this version, and am quite busy right now.

11 (edited by twohawks 2006-09-22 21:16)

Re: Userlist Access 1.0

THANK YOU!   This works.
Sorry to have to ask you to "teach me" to pay attention to "the logic of self"... but that's where I think I lost it!  I had changed the AND / OR logic when I was working it somehow and failed to notice, and then when it failed,  I erroneously started trimming it out (as opposed to witnessing my first error!).. I did not understand the (obvious) use of $pun_user['id'], so I did not procedurally troubleshoot my work correctly.
- newby anti-logic! ---

Here is the current change to the read me for the proper mod-edit:
###############################################
#---------[ 19. OPEN ]--------------------------------------------------------
#

profile.php

#
#---------[ 20. FIND (line: 36) ]---------------------------------------------
#

    if ($pun_user['g_read_board'] != '0') $permitted = 1;
else if ($action == 'change_pass' && isset($_GET['key'])) $permitted = 1;
else if ($action == 'activate_account' && isset($_GET['key'])) $permitted = 1;
else $permitted = 0;

#---------[ 21. REPLACE WITH ]------------------------------------------------

    if ($pun_user['g_read_board'] != '0' && ($pun_user['g_view_users'] != '0' || $pun_user['id'] == $id)) $permitted = 1;
else if ($action == 'change_pass' && isset($_GET['key'])) $permitted = 1;
else if ($action == 'activate_account' && isset($_GET['key'])) $permitted = 1;
else $permitted = 0;

#####################################################

THank you for this much-needed mod.  We are all cozy and safe now ! ;^)

TwoHawks
Love is the Function
No Form is the Tool

Re: Userlist Access 1.0

Just so that you know, I have extended this mod slightly on my PunBB installation.

I run a forum that is kept very private until registrations are approved, and so I had a need to hide the online users and the last registered user, but felt that it was also helpful to hide the post counts etc..

This can be done by adding the If statement in section 18 of the readme, to the Index.php where the stats are fetched (well, actually I just used the second part of the If statement relating to g_view_user).


It's not perfectly pretty, as the titles 'last registered user' & the post count titles still appear but with no data next to them.  I guess the Index.php could be modded further so that that whole section is done as php output, and then supressed using the If statement described, but it works just fine as it is.

Just thought I would highlight that as something easy to do.


Very good mod - thanks, I needed it.

Re: Userlist Access 1.0

Hello,

I installed this mod easely and found it awsome, since it was just what I was looking for... Except on one point : it's probably linked to twohawks' message, but on the other way round :

1) I don't want members to access to the whole alphabetical userlist, so I checked the "no" choice to the "viewuserlist" plugin in the admin panel : success.

2) I want members to access to writer's profile who post messages : this is blocked by this mod, and I would like to know what to change no unlock this possibility without unlocking access to the whole userlist.

Should I do exactly the reverse operation that suggested by twohawks 2 messages above ?

Re: Userlist Access 1.0

Hi new morning (I kind of like the ring to that ;^)...

Without digging into the code I don't think you can restrict access to the list while allowing access to the list, which is what it seems you wish to do..

i.e., if I am a member and cannot access the list of users, then there's no way I am going to have access to your profile link in your post because it takes me to the users list, to which I have no access.

The only way to do what I think it is you wish to do is would be to create a mod that allows "grouping members" according to some criteria, and then allowing members to view only the other members in the same group.
I don't think there would be some other practical way to approach this.

Just my two-sense.

Maybe something esle would help if we knew the reason for wanting to do this (i.e., the logic).
Cheers,
HTH

TwoHawks
Love is the Function
No Form is the Tool

Re: Userlist Access 1.0

Thanks for answering Twohawks, though I would have appreciated a more optimistic statement :\

This the "logic" of my demand.

I created a "secured" forum for a non-profit organisation : only members of the organisation are allowed to read and post. Since it would have been rather complicate to check every suscription, I personaly suscribed every member with a very usefull mod called "batch user register".

The trouble is that amoung the hundreds of suscribed members, some probably woudn't fancy beeing on a list visible by so many. That is why I looked for a mod hiding the whole list.

On the  other hand, those who post on the forum know that there names are clearly visible (usernames are real names) and probably don't mind to show what they personaly wrote in there "profile" for everyone to see. This is why I'm asking how to do the trick, and saught that the troubles you described up above could be my solution smile

16 (edited by twohawks 2008-05-10 00:28)

Re: Userlist Access 1.0

Hmmmmm, yeah, I think I have to backpedal here a little and say I think you can do something close to what you want (I just don't get enough coffee some days)...

forgive me, I don't have time to look at the code right this moment and give it to you straight, but I think it would be possible to add some code that would impose the following logic...

"if user can read the board AND (view_users isn't 0 OR id is true) AND user has posted is true,"
"then permit view list", i.e.,
   if ($pun_user['g_read_board'] != '0' && ($pun_user['g_view_users'] != '0' || $pun_user['id'] == $id) && pun_user_posts is true) $permitted = 1;

...where... you need the proper statemnt for "pun_user_posts is true", of course, and also...
you have to poll/pull the "posted info" from the database in the preceding db lookup in order to have that info available.

So the idea being you could give them all permission to view the list, but it wouldn't kick in until they had at least posted once in the past ;^)

If that suits, you should be able to figure it out from there.  Good luck.
Cheers,
HTH

(Somebody check me on this, my coffee is weak today...)

TwoHawks
Love is the Function
No Form is the Tool

Re: Userlist Access 1.0

Thanks for trying to figure out my needs, Twohawks, but I'm not so sure I've been clear enough or that I precisely get your point : I don't want posting users to access the "mega" list including all the users, nore a list including all the users that did post (but that option would be allwright, since they allready appear somewhere in the forum) : I just want them to access to "profile" section where personnal data can be shown or hidden according to the user's preferences, and this profile section would only be possible to access if the link is somewhere, i e on the left side on this users'message.

Does that make sense to distinguish between the users' "profile" sections and the general "userlist" section ? It seems that the first one matches with "profile.php" and the second one with "userlist.php", and I don't see the point in the present "userlist_access" mod in restricting access to profile.php... Is it inherent to PunBB's structure ?

Re: Userlist Access 1.0

Hi nm... While I don't follow everything exactly, I think I get you a little better per difference between userlist and profile page you are speaking to.
And no, I don't think the userlist mod is going to help a user to be  able to customize who can see what on their own profile.
Maybe you could consider playing with removing the userlist.php page and links to it altogether (sounds like you don't really want it), and go from there.
I am sorry I could not offer more help with this.
Good luck.
HTH

TwoHawks
Love is the Function
No Form is the Tool

19 (edited by new morning 2008-05-11 10:01)

Re: Userlist Access 1.0

Well, it's not that I want to customize anything that isn't allready possible on PunBB : it's just that I was desappointed to realise that this mod blocks access to other members profiles, usually accessible from there posts OR the list... For instant, if you click on "new morning" on the left handside of this post, you will access to my profile, through profile.php, and I don't see why this is related to the access of the userlist, commanded through userlist.php

But I experienced it on my own forum, when I'm logged as a "member" instead of "admin" or "moderator", I can't access to the list (which is the purpose of this mod) NORE other members' profile (which I did not intend to block) to see, for exemple, how many post they made, real name, ICQ, etc.).

When I installed this mod, I only meant to block access to the userlist, not to other members profile : did I make any mistake, probably related to the change of code you mentionned above that occured in PunBB 1.2.17 ? otherwise I don't see the logic in blocking both userlist AND profile in the same mod.

Re: Userlist Access 1.0

new morning wrote:

Well, it's not that I want to customize anything that isn't allready possible on PunBB :

I am certain you can customize it, or have someone do it for you, in the exact way you want... its just that I cannot spend the time right now... I was only passing by and trying to offer some pointers if I could.

new morning wrote:

It's just that I was desappointed to realise that this mod blocks access to other members profiles, usually accessible from there posts OR the list...

Yes, typically for the logic in this setup is they are somewhat tied together, i.e., if you wished to block access to the profiles, the list would thus be inaccessible; as well, typically if you wished to block access to the list of users, then their profiles would be inaccessible.
So no, the logic is as you are observing it, and you did not make any mistake, and the logic is consistent with the intended simplicity of design.
As well, the simplicity also allows for sculpting a solution that would suit.

new morning wrote:

For instant, if you click on "new morning" on the left handside of this post, you will access to my profile, through profile.php, and I don't see why this is related to the access of the userlist, commanded through userlist.php

As I said  in my previous post, you could enable viewing of profiles, and thus the list, and then simply remove the list page and any links to it... then no one could access the list, but peoples profile links would show, and readers would have acess to that.
  This of course does not address the issue of how a user might customize what others may see... that's another issue that would have to be coded out.  It also does not address the problem (equation) of administrative access to the list.

I think all these things can be worked out. You might try hunting around outside this thread, and at punres.org too, and.....

nm, there are big changes going on here you should know about, I suggest you read the news section. 

Cheers,
TwoHawks

TwoHawks
Love is the Function
No Form is the Tool

Re: Userlist Access 1.0

Ok, thanks for the news Twohawks, I'm not sure I'll be the first to rush upon the 1.3 version, unless all the mods I installed feet allwright...

I will probably seem insistant, but this part of your first message seemed to explain how to do what I was looking for:

twohawks wrote:

This was okay up until in steps 19, 20, and 21 where it askes you to edit line 36 in profile.php, because in this version of punbb the lines have already been edited to something else (and I am unsure how to figure out what to do without sitting down and studying it, ...something not for tonite!)

Sooo...  so I went ahead and tested it without that last edit, and everything seems to work great..., excepting that if the guest goes into a post they do see the Poster's ident as a clickable link ...which just so happens to let them into to view that individual's profile  ;^(

I suppose I could try this when I get some free time.

Re: Userlist Access 1.0

whats the difference from this? http://www.punres.org/viewtopic.php?pid=25094#p25094

which is better?