• This forum has been archived. New threads and replies may not be made. All add-ons/resources that are active should be migrated to the Resource Manager. See this thread for more information.

Allow moderators to ban users

Status
Not open for further replies.
Rigel Kentaurus said:
Also, some of us are more careful than the rest and have their admincp htpasswd protected and nobody should go near that, ever.
Click to expand...

What benefit does this offer? If a person doesn't have admin rights, even if they know the ACP page URL they wont be able to access anything, correct? I am asking because if I am missing anything then I would want to take precautions.
 
Oracle said:
What benefit does this offer? If a person doesn't have admin rights, even if they know the ACP page URL they wont be able to access anything, correct? I am asking because if I am missing anything then I would want to take precautions.
Click to expand...

Two examples:

1) Say, there is a bug with the forum software (hey, it's software). There is now a vulnerability that allows a remote attacker to gain control of your instance by exploiting something and getting login privileges. An obscure one, but still. If you had .htpasswd protection then you are protected in one more layer, they cannot make use of the vulnerability in the forum software to gain access to the ACP, they would also need to get the http basic auth password

2) Say, there is an issue that was overlooked by the developers. One particular file in the ACP was not protected (with the frontcontroller approach this is unlikely). Ops, an attacker can now just call this file directly since it bypassed the login mechanism. With .htpasswd, this is not possible as you are protecting the whole directory.

This has happened before ...
http://www.securityfocus.com/bid/32353/info
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2007-02/msg00081.html
(and more, I won't link to them)

So, short story. Do protect your admin.php file :) Highly recommended
and the /install directory
 
thank you for the explanation Rigel. I don't want to take this topic off track but can you share how I can protect the admin.php file and install directory? I have seen the .htaccess file but what change needs to be made so I am protected?
 
Adding options for the length of the ban would be a good idea, as a 24h ban isn't often long enough (sometimes it's permenant).

I strongly agree that moderators should be able to ban users, as they can often spot problems before admins can.
 
If this is added, I would like to see a post auto-created in a thread each time a ban happens. I do realize that admins can check in the ACP to see a list of banned users. The issues are: the ACP isn't available to mods, and it is quite inconvenient to go check any particular section of the ACP to see if someone was banned. A simple thread post would be perfect. You can have alerts for the thread, see who was banned, when, by whom, for how long and the reason.
 
Oracle said:
If this is added, I would like to see a post auto-created in a thread each time a ban happens. I do realize that admins can check in the ACP to see a list of banned users. The issues are: the ACP isn't available to mods, and it is quite inconvenient to go check any particular section of the ACP to see if someone was banned. A simple thread post would be perfect. You can have alerts for the thread, see who was banned, when, by whom, for how long and the reason.
Click to expand...
Couldn't this just be done by a standard alert sent to the admins? :)
 
Rigel Kentaurus said:
Couldn't this just be done by a standard alert sent to the admins? :)
Click to expand...

I am still learning here Rigel. Can you please tell me how a mod can send an alert to the admin/mod group?

Even so, alerts seem like a sloppy way to do things. Having a single forum thread in the moderator forums titled "Banned Users" is something that every mod can view for the life of the forums. If you use alerts, then anytime a new mod joins they wont know about past bans.
 
Oracle said:
I am still learning here Rigel. Can you please tell me how a mod can send an alert to the admin/mod group?

Even so, alerts seem like a sloppy way to do things. Having a single forum thread in the moderator forums titled "Banned Users" is something that every mod can view for the life of the forums. If you use alerts, then anytime a new mod joins they wont know about past bans.
Click to expand...
I meant the hack could have done that, and sent the alert :) I'll explore adding that option. A thread would be better long term, though. Those might be complementary options.
 
Nice... now we just need the discouraged & undiscouraged ability brought forward for mods, and mod access will be quite completed at the frontend.

Nice work Rigel.
 
Brogan said:
If you trust your moderators enough to let them ban or edit users, make them administrators and allow them to manage users.
Click to expand...
vBulletin mentality. :(
tmb said:
Banning is definitely more a moderation task than administration task. Very frustrating design decision that I'm glad is being fixed by this mod.
Click to expand...
Exactly. Administrator vs. Moderator in vBulletin was a very rigid setup. XenForo makes it (or should make it) a continuum of control completely up to the site operator to decide. Every forum is different.
 
This doesn't show up for my moderators. I believe it is because my custom skin. Is there a way to manually insert this?
 
im getting this weird error... one of my moderators banned someone, but the person getting banned did not get moved to the banned usergroup, and now has "easyban_user_already_banned_days" in place of the "ban user" link (see screenshot).

also, in the edit user page of the admin cp, i get the option to lift the ban on the user, but they are not in the banned usergroup.
 

Attachments

  • Screen Shot 2011-11-12 at 12.33.50 PM.webp
    Screen Shot 2011-11-12 at 12.33.50 PM.webp
    75 KB · Views: 15
electrogypsy said:
im getting this weird error... one of my moderators banned someone, but the person getting banned did not get moved to the banned usergroup, and now has "easyban_user_already_banned_days" in place of the "ban user" link (see screenshot).

also, in the edit user page of the admin cp, i get the option to lift the ban on the user, but they are not in the banned usergroup.
Click to expand...
If you see that, it means that the phrase "easyban_user_already_banned_day" was for some reason not created during the installation of the addon. That phrase must exist, open the xml with a text editor if you want to see it's content

...

in XenForo, there is no such thing as a banned usergroup (you may have one if you imported by vBulletin, but banned users are not really moved to that), instead, users are set as banned.
 
Is this going to be upgraded to use the member card hover feature over avatars to show mod functions the same as admins will see, instead of having to specifically go to the profile?
 
Status
Not open for further replies.

Similar threads

actionmedia
  • Question Question
XF 2.3 "Mod" user for just removing spam
Replies
5
Views
118
Mr Lucky
Mr Lucky
S
Looking For An Already Existing Add-On For Moderator Notes
Replies
3
Views
182
SaveTheWest
S
porplemontage
  • Question Question
XF 2.2 How to allow regular users to see all previous usernames
Replies
2
Views
144
porplemontage
porplemontage
X
Forum reply ban by Xon [Paid]
Replies
2
Views
388
Xon
X
lutish
Alipay Pay For Xenforo [Paid]
Replies
7
Views
283
lutish
lutish
Top Bottom