Hello, I've found an oddity. Perhaps I'm missing what settings I should use to sort this out.
I have four roles, anon, authenticated, admin2 and bloggers - bloggers can blog and admin2 can reach all administration pages so these roles are for selected users and should never be automatically created by user Karma. How do I get them excluded from Karma? I find these roles in "Assigning roles to karma amounts" but I don't know what I should put there.
I've noticed that every so often and/or if I manually ask to recalculate users Karma, the roles blogging and admin2 will vanish from the users who have these roles. I need the admin2 to keep their role as admin, how can I make this stop - bar never ever recalculating Karma?
Using Karma 5.x-1.9
I'm not sure if this is a bug.
Comments
Comment #1
Rhino commentedTo clarify, by "delete" I mean that the entries previously found in table "user_roles" are totally gone. I've temporarily fixed these issues by editing the table directly as I can not assign these user roles BACK to the users who should have them when the Karma module is on. Giving them an extra roles simply will not 'stick' (if you edit the users via drupals pages directly).
Comment #2
Rhino commentedWOW am I ever staring at the answer RIGHT IN FRONT OF ME and still not seeing it. It's Obvious!
"Choose roles for user karma:" - exclude the roles I don't want affected by Karma.
*Slaps forehead* ow!
Sorry. :) To be clear there is nothing wrong with this part of the module, I had just chosen all the roles to be affected without 'noticing' that I had.
I'll go sink through the floor now.
Comment #3
mercmobily commentedHi,
The amazing part?
I had actually _answered_ your question. However, I must have forgotten to post the answer. I SWEAR!
Glad it's fixed :-D
Merc.
Comment #4
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.
Comment #5
dejbar commentedI've spent the better part of a day trying to work this problem out. Since I was installing this allong with the modules associated/required for Drigg there were a lot of possible sources of the problem. I had to progressively disable modules to find the source of the problem. Now after re-enablingy the modules I've got other issues that I think will require me to start again from scratch. So what I'm trying top say is this has cause me a lot of pain.
After reading this I can see the internal logic of what has happened - the karma module assigns roles based on the amount of karma and doesn't even let administrators change them from their karam-based roles. However this is far from obvious for someone looking through the options, especially in the context of the larger drigg installation. I think most people would think 'Do I want admins to have Karma? Yep sure sounds OK'. Considering the dire consequences of losing the admininsrative role on one's own site - I think there should be a clear warning posted about this next to the option to include admins in this scheme. Also the 'Silent Failure' of the ability of other admins to change the permissions is a particular problem. Some sort of error message should be produced.
I haven't looked into this any further but if this scheme allowed a user to gain admin priveliges simply by accumulating Karma then you have to say this could be a serious security problem. Allowing people to unknowly mess with the admin role is not a good idea and probaly shouldn't even be an option.
Comment #6
mercmobily commentedHi,
The description of the field says clearly:
"You should choose roles created specifically for user karma."
I made it even clearer:
t('You should choose roles created specifically for user karma. WARNING: this module adds AND deletes roles. If a user does not have enough karma, s/he will lose the role. So, pick the roles carefully')
This should be enough.
Merc.
Comment #7
dejbar commentedHi Merc,
Thanks for creating what appears to be a great bunch of modules.
It can be hard for any software author to realize just how little users understand about their product. Installing this as part of drigg gave me no idea that the purpose of this module was to assign roles based on the karma score, and I actuall read much of the description on the main module page. As a user you just tend to assume that a finished product won't have an inbuilt 'self destruct' button and that if it does it will be very clearly marked. Anyhow this 'feature' won't bite me again. What worries me though is that a large proportion of users who experience this won't know were to look to find the answer and will give up on drigg in frustration, thinking that it is 'unstable'.
From a security perspective I guess the important point is that there is no way for attackers to search for installations that have incorrectly configured this module. If they could do that then they could mount an attack on the host by signing up and getting how ever many Karma points are required (possible zero assuming the admin didn't lock themselves out) . This would then allow them as an administrator to run arbritrary php on the host machine.
I guess for a warning I would go with something like.
WARNING!!!!
Never select an adminstrator role to be part of this because you will either lock yourself out of this account or you will allow others to take control of your machine!!!!
Just my 2c.
Daniel.
Comment #8
mercmobily commentedHi,
One note.
I realise that giving "admin role" if a user gets enough karma will give them an admin role. But... I am not sure about locking yourself out.
Being "admin" and "having admin roles" are two VERY different things. Admin will _always_ be able to login. A user who was given admin roles might lose them if the "admin role" is part of the karma game. But... again, Admin will _always_ be able to login.
Am I missing something here?
Merc.
Comment #9
dejbar commented> Being "admin" and "having admin roles" are two VERY different things.
Are talking about the special admin account with user id #1? I didn't try it with acount #1 so I can't comment on that. However apart from this special account I see 'being admin' and 'having admin roles' as the same thing. Anyway in a larger site you can't assume that any admin user is allways going to have access to the #1 account.
When it comes to 'locked out' I mean that if you lose your "admin role" then you are locked out of admin functions and you can no longer effectively manage your site. In particular I'm assuming you can't edit the privileges to give yourself back those rights. What help is it to log in if can't do anything? In fact if you include the general class of 'authenticated users' in Karma then you could well also lose your ability to log in.
The lack of admin roles could be made all the worse if at the same time someone else has gained admin roles through karma.
Comment #10
mercmobily commentedHi,
> Are talking about the special admin account with user id #1?
Yes
> I didn't try it with acount #1 so I can't comment on that.
I can... the "admin" account has no restrictions. It never, ever does.
> However apart from this special account I see 'being admin' and 'having admin roles' as the same thing.
Well, "being admin" and "having admin roles" are two _completely_ different things. You cannot be locked out of your site, because user #1 will _always_ be able to get in and do whatever.
So, a big part of your fears are unfounded.
Merc.
Comment #11
dejbar commentedOK so the single 'admin' account still has access. While this reduces the 'lockout' problem there would still be a lot of cases where sites have multiple administrators with 'admin role' accounts. At least for a period of time one of these administrators could be effectively locked out of the site until they are able to get in contact with the main admin account holder. One thing that even the real 'admin' account can't do is override the Karma-based roles.
Anyway, to me it just seems like an inherently bad idea to allow people to accidentally disable their account access. Especially when the means of fixing it are also disabled. But hey that's just me.
The more I think about it, the more serious the security appears to be. All you have to do is switch this on for administrator and set the wrong numbers (or even leave the defaults?) and anyone who signs up to your site and posts will have the admin role. From there your box is well on the way to being owned.
Comment #12
mercmobily commentedHi,
If the administrator wants to add the "administrator" role to people with enough karma, that's something that should be allowed. You are "admin" (that is, user 1) for a reason.
The presence of the "admin" user doesn't "alleviate" the problem -- it solves it.
There is a warning there, and it's bold.
Merc.
Comment #13
Rhino commentedGlad you made it clearer but honestly, I should have seen the text in the first place had I actually paid attention. There as nothing wrong with the module, I was just speeding through the motions of installing and not READING properly. ;) Bold text helps though, so cheers for that.
Comment #14
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.
Comment #15
nhoeller commentedMerc, add another dummy who got bitten by this problem. I thought 'Choose roles for user karma:' related to the roles of users where the module would calculate karma. The warning in small type/light grey "You should choose roles created specifically for user karma" simply did not register late last night when I had a chance to install the karma module. I promptly nuked my administrative access. No major problem - I was using a test site and knew about user 1.
Part of the problem is that the underlying logic of karma escapes me, even after having read the description multiple times. Some examples would be really helpful.
That said, your karma module is exactly what I was looking for, as soon as I figure out how to get access to the karma values.
Thanks, Norbert