×
Kunena 5.1.10 Released - Security release (03 Mar 2019)

The Kunena team has announce the arrival of Kunena 5.1.10 [K 5.1.10] which is now available for download as a native Joomla extension for J! 3.9.x. This version addresses most of the issues that were discovered in K 5.1 and issues discovered during the development stages of K 5.1. This is a security release.

× Topics must relate to a currently supported version of Kunena. If you are unsure what is the current supported version of Kunena, please go to the download page.

If you are having problems then, for your own benefit, it would save us all a lot of time if you would kindly post your configuration report when you ask for help from this forum. If you do not post your configuration report we will not ask you for it but you will probably not get your problem solved, either.

Question Rank changed, but how?

More
2 weeks 4 days ago #1 by tcn
Rank changed, but how? was created by tcn
I'm investigating an incident on our forum. One of our moderators1 lost his rank in the past 48 hours. I went through the Kunena logs, but there is no entry with that user as target for the given time period.

We only have two users which are able to access the Joomla backend and change Kunena settings. My colleague hasn't logged in in the past 48h. I usually do all the administration and my colleague helps out when needed or when I'm away. I didn't change the mod's profile, either.

There is two more possibilities I can think of at the moment.

1. It happened during the update to v5.1.10.1
On 5 March I updated the forum to the latest version. It went through without any errors or warnings and a quick check didn't reveal anything out of the ordinary. However, we setup our own ranks, including Moderator. The only rank still left from the installation is the Administrator rank. Initially, we didn't want to use ranks, but later we decided to make use of it to scratch an itch, so to speak.

So, is there some script running during or triggered by the update, that could possibly have made a change?

2. Rank can be changed in the frontend somehow
Is there a way of changing ranks from the frontend, that I'm not aware of? That's the only other thing I could think of. Of course, there's also the possibility of a hack, but the system logs give no indication so far.

1I just checked another mod's settings who's profile was almost identical. He also lost his rank. In addition, I'm seeing a user that does have the rank Moderator, but I never gave it to him. It's all very weird and it worries me quite a bit.




This message contains confidential information

Database collation check: ✔ The collation of your table fields are correct

Joomla! SEF: Enabled | Joomla! SEF rewrite: Enabled | FTP layer: Disabled |

This message contains confidential information
htaccess: Exists | PHP environment: Max execution time: 30 seconds | Max execution memory: 128M | Max file upload: 8M

Kunena menu details:

Warning: Spoiler! [ Click to expand ]

Joomla default template details : astroid_template_zero | author: JoomDev | version: 2.0.2 | creationdate: Nov 2018

Kunena default template details : Crypsisb3 | author: Kunena Team | version: 5.1.10.1 | creationdate: 2019-03-04

Kunena template params:

Warning: Spoiler! [ Click to expand ]

Kunena version detailed: Kunena 5.1.10.1 | 2019-03-04 [ Janus ]
| Kunena detailed configuration:

Warning: Spoiler! [ Click to expand ]
| Kunena integration settings:
Warning: Spoiler! [ Click to expand ]
| Joomla! detailed language files installed:
Warning: Spoiler! [ Click to expand ]

Third-party components: UddeIM 4.0

Third-party SEF components: None

Plugins: None

Modules: None

Please Log in or Create an account to join the conversation.

More
2 weeks 4 days ago #2 by tcn
Replied by tcn on topic Rank changed, but how?

In addition, I'm seeing a user that does have the rank Moderator, but I never gave it to him.

Please disregard the mystery moderator. It could well be a red herring.

The more I think about it, the more I'm convinced that this a bug in the latest Kunena release. Moderator ranks are assigned by some logic in Kunena. I never actively assigned the rank to anyone. I only changed the icon for the moderator rank and changed the moderation settings in the backend user interface. The ranks were assigned automagically. Thus,

I went through the Kunena logs, but there is no entry with that user as target for the given time period.

makes perfect sense. Nobody changed the moderator ranks. They are just no longer automagically assigned as they were before.

If you would like me to run further tests, let me know. I already produced a list of moderators and their assigned ranks, if any, should you be interested.

Please Log in or Create an account to join the conversation.

More
2 weeks 3 days ago #3 by rich
Replied by rich on topic Rank changed, but how?
Which error you mean? I can not reproduce a mistake of this kind,
A Moderator and a rank are two different things.
Choose in the backend Kunena -> Users an user. You see the tabs Moderation and Forum Settings.
If you set on the first tab "Is moderator? = Yes" the user get automatically the rank Moderator and moderate rights either global or only for selected categories.

But if you set the rank on the tab Forum Settings, this is only a rank title without extra rights.

Please Log in or Create an account to join the conversation.

More
2 weeks 3 days ago #4 by tcn
Replied by tcn on topic Rank changed, but how?
There is no error that I can see. I'm only seeing the results of something that has changed presumably since the update.

A Moderator and a rank are two different things.

Right and wrong at the same time. There is a default rank called Moderator. That's what I'm talking about. It's automagically assigned to users given the role of moderator on the forum. At least that's how it was (or I guess that's how it was).

Best to give an example:
usernamemoderatorrank_title
mod1NULL

That particular user is one of our global moderators. Before the update, the moderator badge, a custom image, I uploaded, for the rank moderator, was displayed below his account. You can see that he's got no rank assigned (NULL). Now, after the update, he's wearing the administrator badge. That's the red dots. I didn't change the image for that rank.

So, without us changing anything on the given user's settings, profile etc. his appearance changed. The update is the only change applied to the forum that could have such an effect, I guess.

Maybe the question boils down to: what is the magic that is applied for the moderator rank, or any other of the special ranks for that matter, to show in the frontend without assigning it explicitly in the backend. Also, somehow related, what takes precedence? A special, automagically assigned rank or an explicitly assigned rank (set in the backend)?

On our forum, we distinguish between paying members of our club and non-paying forum users. Members have access to special members-only boards. In order to help distinguish members from non-members visually, every member gets a special badge. We realize that by explicitly assigning them the custom special rank member. Any member could become a moderator on the forum, globally or for selected boards. So, once I elevate a users permission to moderator, should the associated rank automagically be displayed or do I have to change it in the backend?

Quite a question for something I could easily try out myself, I know. I'm just trying to better understand the applied logic. Without knowing what the intended behavior is, it's hard to tell misbehavior.

Please Log in or Create an account to join the conversation.

More
2 weeks 2 days ago #5 by rich
Replied by rich on topic Rank changed, but how?
Here a list of automatic ranks.
Registered - Author - Publisher - Editor - Manager | Kunena rank is Member (Rank Image changes by number of posts)
Admin - Super User | Kunena Rank is Admin
Category Moderator | Rank is Moderator only in the assigned categories (in other categories he is Member)
Global Moderator | Rank is Moderator

Exceptions:
If you set Admins and Super User as Moderator - The rank remain Admin

Special Ranks (tab Forum Settings)
If you choose here a special rank title for an user (example Spammer), this changes only the rank image but not the rights. With this option you can also change the rank image for admins or mods.
docs.kunena.org/en/manual/backend/ranks/add-rank

Please Log in or Create an account to join the conversation.

More
2 weeks 2 days ago #6 by tcn
Replied by tcn on topic Rank changed, but how?
Thank you very much for the overview. I would say there's a bug in the latest version then. The user in question is a normal user1 in Joomla. In Kunena he's a Global Moderator. So, his rank image should be that of a Moderator:

Global Moderator | Rank is Moderator


Unless, there's something else that needs to be taken into consideration. Does Kunena look at all at access levels? I'm asking, because your answer triggered something in my memory. I recently2 tried to configure Joomla such that Global Moderators can access the Kunena configuration logging in to the backend without them getting access to other settings than Kunena. That's a desire, because not everything can be configured from the frontend, e.g. boards.

I did not succeed, so far. But I did change some access levels for the Joomla group our Global Moderators are member of:

Kunena Forum | Access Administration Interface | Allowed
Global Configuration | Administrator Login | Allowed

Members of that Joomla group can now login to the backend, but the Components menu is not available for them. The same approach did work for a different component we are using on our website.

1not in the Super Users group nor being granter the Super User ACL
2before, but possibly on the same day, I installed the update

Please Log in or Create an account to join the conversation.

More
2 weeks 2 days ago #7 by tcn
Replied by tcn on topic Rank changed, but how?
I just checked the User Activity Log in Joomla. The ACL changes were applied the day before I installed the update. I didn't notice the change of rank until a couple of days after the update. So, the ACL modification is definitely another candidate for the changed rank.

Please Log in or Create an account to join the conversation.

More
2 weeks 1 day ago - 2 weeks 1 day ago #8 by rich
Replied by rich on topic Rank changed, but how?

Thank you very much for the overview. I would say there's a bug in the latest version then. The user in question is a normal user1 in Joomla. In Kunena he's a Global Moderator. So, his rank image should be that of a Moderator:

Yes correct, unless you have created an own Kunena rank for this user.

Unless, there's something else that needs to be taken into consideration. Does Kunena look at all at access levels?

Joomla user groups such as Author, Editor ect.. are for Kunena only normal registered users without extra rights. Only Admins and Super Users have more rights.

I recently tried to configure Joomla such that Global Moderators can access the Kunena configuration logging in to the backend without them getting access to other settings than Kunena. That's a desire, because not everything can be configured from the frontend, e.g. boards.

I did not succeed, so far. But I did change some access levels for the Joomla group our Global Moderators are member of:

Kunena Forum | Access Administration Interface | Allowed
Global Configuration | Administrator Login | Allowed

Now it's all clear. This members are admins now.
In the frontend are the differences between Admins and Global Moderators minmimal, such as a Moderator can't ban an another Moderator but a Admin can do it.
But in the backend you have a security problem now. All the users of this group have the possibility, to delete permanently all members from your web page.
Please see this doc and scroll down to the Info bar.
docs.kunena.org/en/faq/admins-only-for-kunena
Last edit: 2 weeks 1 day ago by rich.
The following user(s) said Thank You: tcn

Please Log in or Create an account to join the conversation.

More
2 weeks 11 hours ago #9 by tcn
Replied by tcn on topic Rank changed, but how?

Yes correct, unless you have created an own Kunena rank for this user.

No, I have not. But I infer from your answer that manually assigned ranks in the backend take precedence over automatically calculated ranks based on permissions or post count.

This members are admins now.

So, Kunena does look at the assigned ACLs then? Not a problem, just good to know.

But in the backend you have a security problem now. All the users of this group have the possibility, to delete permanently all members from your web page.

First of all, I wouldn't call it a security problem. It's a matter of trust. Or, to quote sudo:

With great power comes great responsibility.

Second, as I mentioned, the users are not yet able to see anything in the backend. Obviously, I have missed something setting it up. I will go through the documentation and try to figure out what. Thanks for pointing me in the right direction.

I would also like to thank you for you support once again. I'm glad this turned out to be a red herring and not a bug or, worse, a security incident.

Please Log in or Create an account to join the conversation.

More
2 weeks 10 hours ago #10 by tcn
Replied by tcn on topic Rank changed, but how?
All done! :woohoo:

Our two global mods now have access to the Kunena backend. I actually came across the documentation page you pointed me to, before. It just didn't register as being related to what I was trying to achieve. Maybe renaming the document to something like "Access to Joomla backend only for Kunena component for forum administrators" might help. I know it's a mouth full...

Anyway, I'm glad I can put this behind me. B)

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Time to create page: 0.162 seconds