I currently have just the basic privileges set to joomla’s mysqluser: INSERT, UPDATE, DELETE and SELECT.
But in fact if the this user is being used across the entire site, if any hacker finds a way to get it or to control the queries (sql injection) he will be able to delete the entire content of a website.
My idea would be to have 2 different mysql users in joomla. One to user in the frontend and the other one to be used in the backend (/administrator). In fact the administrator will require the privileges I currently use, but the frontend user will only require SELECT and a few UPDATE and INSERT previligies to some particular tables like banners and session
I know it might sound paranoid, but currently the projects I'm working with require this kind of "paranoid" approach.
I expact any Joomla experts will help me in achieving this.
Firstly, I have seen that you used the Joomla 1.7 tag in your question, but please ensure you are running the latest version of the Joomla 2.5 series, 2.5.9
What you are trying to achieve from what I have read is you want 2 users, 1 that can only log into to the frontend and the other that can log in to the backend. This currently is available in Joomla and would require core code changes which I'm not going to recommend you do. Have a read through another question I answered, giving information and good extensions to help with security.
Joomla! 2.5.4 Hacked: Having trouble with diagnosis
Then, simply create a separate admin account and only use that one to login to the backend.
Related
My client has Joomla! ver 1.5.14 installed on the remote server. I logged in using the url /administrator/ with login 'admin'. When landed on the admin page after successful login, I observed that the top menu has only two elements, Site and Help. All other elements like Menus, Content, Components, Extensions etc are not there.
Also I do not find any way to access those elements (menus, components). There are not icons on the screen to access them.
Could someone please help me figure out this issue?
Thanks in advance
Regards,
MulC
EDIT:
Following is the screenshot of the admin page
http://postimage.org/image/youvqynh7/
user admin belogs to the group 'Super Administrator'
Thank you
It's very strange that this should happen unless your client has been fiddling with the core Joomla files or database tables.
Update the site to the latest version of the 1.5 series (1.5.26)
Download the full Joomla package, extract the administrator, components, includes, libraries, modules and plugins folder, zip them up and upload to the server, replacing the current folder. Not to worry, this will only override the core files which I assume haven't been edited.
Try downloading and installing another admin template.
Else the only other thing I can think of is reconstructing the website which might take a while, depending on the amount of work that went into it.
In Joomla! 1.5.x a common security step was to create an alternate "super user" and downgrade the default admin account to a standard registered. Due to issues in early versions of 1.5 though it wasn't recommended to delete or disable this account.
This sounds like what is going on with your admin account.
You can check this by looking at the database checking the table jos_users look for the username admin and see what it's usertype is set to. At the same time look for a user that has an usertype of Super Administrator (yes, really the words Super Administrator).
Once you have the username of the Super Administrator, you will need to find the password. If the client doesn't know it then you will have to recover the admin password.
Im evaluating orchard cms for my employer and just wanted to ask a question about login and membership.
Our users and their roles are in another database which are exposed via an API and i would need to just get pointed in the right direction if it is possible to solve this in orchard.
The users must be able to login on the orchard site and it will display different content depending on their role. The admins and editors will use the built in user db.
What would be the correct way to solve this? Some kind of module or custom membership provider?
Also, is it possible to set visibility rules in orchard admin for content based on the roles from the other external DB?
Please do ask if you find something in my question confusing.
There were not that many modules in the orchard gallery but have been playing around with a few so i am now answering my question and hope it helps others looking to build their own custom login.
The one which helped me most was the windows authentication module which was really easy to rewrite to work against an external service.
edit: typo
I installed Joomla 1.7 and I noticed that you can have user profiles with the user profile plugin. However, is there a way to publicly access a user's profile (without loging in)?
For instance, I noticed that you can go to:
/index.php?option=com_users&view=profile
However, that seems to pull up my own profile, If I am logged out it always redirects you to the login form. I have tried adding additional variables like "id=1", "user_id=1", or "userId=1".
Is there a way to do this? Or will I have to develop a component to pull in this information publicly?
Even though it not possible with clean Joomla website a lot of useful code come with it, which you could include to your component if you prefer to create one.
But... there is a great extension Community Builder with a great team behind it. Having used it in the past, I would highly recommend it as a solution for community based sites.
It changes the login form to a much better & bug-free form, enables more fields to be created for registration, and allows special pages for individual users, plus, community builder has extension-specific plugins.
EDIT: This answer needs an update as since it was added more extensions have been introduced like JomSocial or EasySocial. I cannot recomment CommunityBuilder any more
This post is tagged with Joomla 1.7 however I wanted to mention that if using Joomla 3.7.4 you now have the ability to show the User Profile plugin data from the core Contacts component. You can also add more custom fields to the Users component and they will also show from the Contacts component. You can set the display of the Users Profile info by going to the Admin panel -> Contacts -> Options. Turn on the option under; Contact -> User Profile -> set to "Show".
I am developing a website where I need to create two user types. One is "member" and the other is "merchant". Both have different areas to be accessed. I am really confused on how can I achieve this.
Also I am trying to add my custom fields of First name and Password in the default Joomla registration form. As soon as I add a new TR with field first name the registration form stops working.
Can you guys help me in doing this?
If you have some troubles with default Joomla registrtion, you could use Community Builder. It is pretty easy to add fields to users profile and users registration. To separate members and merchants you could add field to the registration form called for example Account type. And then according to its value assign new user as registered(members) or author(merchant).
First, adding user types in 1.5 is not going to accomplish the access requirements you have described. You would need to install an access control component to control different user types accessing different content.
Next, Joomla 1.5 is nearing end of life, April 2012 to be exact. Version 1.7.x released last week so you should very seriously consider moving the site to the latest version. An added bonus is that Joomla 1.7.x has built in access control levels that would accomplish what you are trying to do.
Regarding different access levels best thing to do would be upgrade to Joomla 1.6/1.7 It has this functionality built in. It may be possible to achieve this in 1.5 with third party components, but I don't have any experience with this.
Regarding custom registration fields, again, if you upgrade to 1.6/1.7 it has User - Profile plugin which allows to add additional fields to your registration form.
In 1.5 you can use third party components such as ExtendedReg (commercial).
Or alternately edit core files: http://www.mysysadmintips.com/index.php/web/100
Does it affect the way joomla authenticate users if I add a custom user groups in the Joomla 1.5.15 and does it make it less secure?
I'm planning to add a custom group using the table jos_core_acl_aro_groups as described at http://docs.joomla.org/Custom_user_groups.
But someone told me that if I add a new user group and the group_id is greater than 25 (this is the ID of the Super Administrator), that new group will have the same access as the super admin in the default joomla core files without changing anything just the additional user group. Is this true?
Don't you have a local instsall of Joomla to try this?
Anyways, it's not true because it can't be, why should the group_id define the access rights? That would be a terrible ACL implementation. But please try it, before you actually use it live.
In Joomla 1.5 you can make user groups but they will have one of the existing role patterns. In Joomla 1.6 (alpha) there will be full flexibility in defining your groups, roles and granular ownership settings for each article, module, etc.
There are several extension you can find at:
http://extensions.joomla.org/extensions/access-a-security
Which enhance the core ACL functions. Give them a look and you'll probably find the solution without hacking the core files.