Using nsngroups for admin privileges

Posted: Mon Apr 07, 2008 9:42 am

I am just floating a general idea and some code by the community here. Background, as you know, is that Nuke provides a standard mechanism for defining and implementing administrative privileges. If you want a user to have admin privileges for a given module you can add them to the authors table and give them rights to that module. Their authors id then gets added in comma delimited format to the admins field of the modules table for that module. When they sign in to their admin id the function is_admin in mainfile takes care of granting the privileges. The administrative part of the module is defined in /modules/modulex/admin. There's more that has to be done, writing case and links files, for instance, but that's the long and short of it.

This mechanism is "sort of okay" for people who are going to be serious admins on your site but it sort of expletive deleteds for casual admins or those people who you want to give limited admin privileges to. For instance, I have a bicycle ride calendar on my site. I want a limited set of people to be able to enter rides but I don't want them to have admin privileges over the whole module. In addition, whenever I set such casual admins up in the authors table I have the whole p.i.t.a. of them forgetting their passwords and or forgetting to sign in and it just adds a whole headache factor to the situation. What I want them to have by virtue of their normal sign in is to have admin privileges.

In early incarnations of my ride calendar module I just created my own security groups table to handle this. I was too lazy to write an admin application to handle the security groups so whenever I had to add someone I just went into phpmyadmin and added them. But when nsngroups got added as an integral part of Ravennuke, it became obvious to me that I should use that instead. While the interface for adding users to a nsngroup is not great it sure beats opening phpmyadmin.

Originally when I was thinking about this I was thinking "I'll just use the is_group function in mainfile. Not. This function has nothing to do with nsngroups as I found out this morning. So what we need is a function for mainfile that determines if a user in in a privileged group and a standard means for accessing that function. Here's version 1 of what I've come up with:

1. In the module do something like this:

Code:

$gname = 'rc_admin,Board of Directors';


if (is_nsngroup($user,$gname)) {


      $_SESSION['rc_admin'] = '1';


     $rc_admin = '1';


     }


     else {


          $_SESSION['rc_admin'] = '0';


          $rc_admin = '0';


     }

Note: I use sessions but that's not necessary. The privileges could just be tested by calling the function throughout. Note that I've allowed for multiple groups to have access by comma delimiting them in the variable $gname.

Next I wrote a function for mainfile that goes like this:

Code:

function is_nsngroup($user, $gname) {


    global $prefix, $db, $user_prefix, $cookie, $user;


    if (is_user($user)) {


        if(!is_array($user)) {


            $cookie = cookiedecode($user);


            $uid = intval($cookie[0]);


        } else {


            $uid = intval($user[0]);


        }


        $gname = explode(',', $gname);


        foreach($gname as $value) {


             echo $value;


            $resultgid = $db->sql_query('SELECT `gid` FROM `'.$prefix.'_nsngr_groups` WHERE `gname`=\''.$value.'\'');


            $num3 = '0';


            while ($row = $db->sql_fetchrow($resultgid)) {


               $gid = $row['gid'];


               $resultgroup = $db->sql_query('SELECT `gid` FROM `'.$prefix.'_nsngr_users` WHERE `uid` =\''.$uid.'\' AND `gid`=\''.$gid.'\'');


               $numusers = $db->sql_numrows($resultgroup);


               $num3 = $num3 + $numusers;


            }


         }


         if ($num3 > 0) {


            return 1;


         }


         else {


            return 0;


         }


      }


}

This is kind of crude but it's working in my test system.

Now whenever I have a section of the module that I want to limit access to I just have to invoke is_nsngroup and echo or not echo the code depending on whether the user is part of that group. Needless to say I also have to have rc_admini and Board of Directors groups set up in nsngroups.

Thoughts? Suggestion? Would this be useful for others?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

There is no doubt that nuke has always needed a mechanism like this. The all-or-nothing approach can be a real pain, for sure. Personally I don't use groups in any form so I'm not really one to chime in other than to agree that something is needed.

Posted: Tue Apr 08, 2008 4:48 am

fkelly,
There is a NSN group function that gets loaded in with NSN Groups. I actually use it in HTML Newsletter. The includes/nsngr_func.php is included within mainfile.php. The function to use is in_group(). There are a couple other functions too in that file... Wink

Posted: Tue Apr 08, 2008 8:16 am

Thanks M. I will take a look at that, no sense in having the same function in two places. Incidentally in the code I posted the $num3 = 0 has to be above the foreach loop. Dumb mistake on my part. Otherwise I have it working pretty well.

I was thinking this would also work better if the groups you wanted to give privileges to for a module were in a config.php for the individual module and were administered on an admin screen for that module. Using a comma delimited format for the variable in the code is kind of a shortcut. On the other hand you might have different types of privileges and different groups throughout a module. I hope I'm not making this too complicated but I think we do need more "granularity" with privileges and it would also be nice to not have to add a lot of extra people to the authors table.

Posted: Tue Apr 08, 2008 8:33 am

Works like a charm M. thanks again. The function in_groups in /includes/nsngr_func.php takes a dash (-) delimited list of groups and explodes it the way I was doing with commas. That's pretty good but it means you better not use a dash character within your group name or you'll wind up with your group named "mish-mash" being interpreted as "mish" and "mash". We probably should fix that if we intend to use this further. But it beats having a similar function in mainfile and Bob has a couple of other refinements in there that I didn't think of on first blush.

Now I just have to revert my mainfile. Smile

Posted: Wed Apr 09, 2008 5:24 am

No problem sir. My pleasure.

Isn't it really the group numbers that are separated by dashes? I don't think it is the actual group names. Pretty sure anyways as within HTML Newsletter I am storing strings like this: "1-2-7-8".

Posted: Wed Apr 09, 2008 7:36 am

Yes, sigh, you are correct M. I was getting into the "secure" area in testing because I have admin privileges. The nsngr_func function checks for is_admin first and returns success (a 1) if the user is an admin. Then it checks group memberships based, as you say on the group id (a numeric field). I just changed my program to pass the gid's instead of names. Of course, testing is confounded by the presence of cookies but still passing the gid's should work. If I ever get the time to do the config.php thing for the module I will have to build that in.