| « The Mayonnaise Jar and 2 Cups of Coffee | Blog Module for RavenNuke / PHP-Nuke » |
Avoiding the Admin SuperUser Trap
All you *nukers out there may appreciate this gripe of mine. In RavenNuke™, PHP-Nuke, and the other *nuke variants, there is the concept of a normal user and an admin user. There is even a special type of admin user called a “God Admin", with special privileges, such as creating new admins and assigning privileges. So far, not a bad approach, although it is debatable why one even has to have two separate classes of users, but, I digress.
The administration control panel, or ACP for short, within *nuke consists of two sections, the first called “Administration Menu” and the second called “Modules Administration". As many of you know, in order for an admin to see the Administration Menu applets, as I like to call them, one must be given SuperUser privileges. However, it is also possible to set up admins to only have access to the administration applets for specific modules.
The problem with SuperUser access, is that means an admin can do everything except “Edit Admins” - if you have NukeSentinel™ installed - and if you are like me, you may not like that too much. In fact, out of the Administration Menu applets, I often wished that I could just give an admin access to post system messages, so the Messages applet, or possibly to just manage Submissions. Unfortunately, you have to give them SuperUser access, which gives them everything else…
Follow up:
Well, not so any longer if you do not mind making very slight customizations to a script or two. Bob Marion and I were “conversing” the other day about the above problem with regards to his upcoming NukeMailList release and he gave me the idea. Thanks Bob!
So, here it goes. We need an example, so I have chosen the Messages applet. I want to be able to give an admin the permissions to this applet, but only that applet (yes, you should be able to do this with any number of the Administration Menu applets - these are the scripts that reside under your *nuke root’s admin directory). The approach goes like this:
1) Create a new Messages module “stub”
Create a structure like this:
modules/Messages
modules/Messages/admin
Within the modules/Messages/admin directory, place a file called case.php with the following code in it:
PHP:
Also within this same directory, place a file called links.php with the following code in it:
PHP:
<?php | |
if (!defined('ADMIN_FILE')) { | |
die('Access Denied'); | |
} | |
global $admin_file; | |
adminmenu($admin_file.'.php?op=messages', _MESSAGES, 'messages.gif'); | |
| |
?> |
Also within this same directory, place a file called index.php with the following code in it (yes, essentially a file with no PHP code between the tags):
PHP:
<?php | |
| |
?> |
It would also be a good idea to place a blank index.html file within each of the above directories as well as a .htaccess file in each with the following one line in them:
deny from all
This just helps to keep these directories from prying eyes. 
2) Modify the Messages code to accept links from this new module
All of the administration logic is really within the admin directory and we need to modify a couple of scripts there so that they will check for module admin privileges properly.
Open up the file:
admin/case/case.messages.php
NOTE: all code examples are from RavenNuke™ which although is fully patched to the latest patch levels (as you should be too!), there may be slight differences from PHP-Nuke.
After this code here:
PHP:
Add this line of code before the “switch” statement:
PHP:
Now, this is where the differences in code between RavenNuke™ and PHP-Nuke patched might be slightly different. Open the following file:
admin/modules/messages.php
Find this code here:
PHP:
$row = $db->sql_fetchrow($db->sql_query('SELECT radminsuper FROM ' . $prefix . '_authors WHERE aid=\'' . $aid . '\'')); | |
if ($row['radminsuper'] == 1) { |
And simply replace it with this:
PHP:
$row = $db->sql_fetchrow($db->sql_query('SELECT `title`, `admins` FROM `'.$prefix.'_modules` WHERE `title`=\''.MODADM_MESSAGES.'\'')); | |
$row2 = $db->sql_fetchrow($db->sql_query('SELECT `name`, `radminsuper` FROM `'.$prefix.'_authors` WHERE `aid`=\''.$aid.'\'')); | |
$admins = explode(',', $row['admins']); | |
$auth_user = 0; | |
for($i=0; $i < sizeof($admins); $i++) { if($row2['name'] == $admins[$i] AND $row['admins'] != '') { $auth_user = 1; } } | |
if($row2['radminsuper'] == 1 || $auth_user == 1) { |
3) Ensure module shows up in your Modules list
It would be a good idea to now click on the Modules administration applet and see if the module named Messages now shows up in the list. It should be set as “Inactive". If it does not show up, which could happen with RavenNuke™, just click on the Modules applet link again. There is no need to activate the module; in fact, it would be better to just leave it inactive.
4) Assign permission to an admin
Now you are ready to assign this new Messages module to an admin user. within the Edit Admins applet is where you do this. You should now be able to take an admin and without giving them SuperUser access, just check the checkbox next to Messages and click save and now they should see the Messages link within the Modules Administration section of the ACP!
Sound easy enough? I couldn’t believe how easy it was. To enable additional “applets", just remember to use a different constant name in all the three places. I.e., replace the MODADM_MESSAGES with another define with a different name AND make sure to give it the value of the modules directory exactly as you have created it, including any underscores.
Thanks again for Bob Marion for getting me off my duff to finally get this working for my sites, for giving me the ideas, and for allowing me to share them.
7 comments
Although it does highlight one of *nukes deficiencies (decent access permissions handling) this snippet will no doubt come in extremely handy for giving access to admin applets to users you do not want to have full SuperUser access rights.
This will be very useful and I'm sure will be a useful reference source ;)
Astonish Me Code plug in??
I wish, though, that I could turn off the line numbering
Just add the following to your css ;)
td.amc_line {display:none; }
¥
Comment feed for this post