Studio Security

How can I test the Security in Studio and lock "Studio" so that all modules are only visible by the admin?

At present these pages appear to be visible on a number of una sites

https://sitename.com/studio/launcher.php

https://sitename.com/studio/designer.php 

https://sitename.com/studio/settings.php


0 0 0 0 0 0
  • 231
Replies (23)
  • When I try those links for mine it is just a login page. I don't recall doing anything to secure that, it's this way by default for me I believe. I am hosted with UNA though, are you?

    0 0 0 0 0 0
    • The HTTP 404, 404 Not Found, 404, Page Not Found, or Server Not Found error message is a Hypertext Transfer Protocol (HTTP) standard response code, in computer network communications, to indicate that the browser was able to communicate with a given server, but the server could not find what was requested.

      0 0 0 0 0 0
      • Hello InPage !

        As you were told above there is no big danger if these pages are visible for others because all of them are unavailable for non-logged admins / operators. But you may try to rename studio folder and correct this constant:

        define('BX_DOL_STUDIO_FOLDER', 'studio');

        in the inc/params.inc.php file.

        0 0 0 0 0 0
        • When I try those links for mine it is just a login page. I don't recall doing anything to secure that, it's this way by default for me I believe. I am hosted with UNA though, are you?

          If you are logged in to the site, the links are all fully functional even when logged in as "Unconfirmed"


          0 0 0 0 0 0
          • LeonidS these pages are available for all members that are logged in, including "unauthenticated" accounts. I can access these pages and change settings, send e-mails, delete accounts. This is very worrying.


            0 0 0 0 0 0
            • Have you tried studio > permissions > level > you can change what each level can see or not see

              0 0 0 0 0 0
              • Hi Will, 

                There is no way to manage the permissions for Studio here. 

                This appears to be a security vulnerability that is related to the sites set-up. I need to find out how to ensure that only Admins can access Studio functionality.

                0 0 0 0 0 0
                • Can you get to studio with admin account?

                  0 0 0 0 0 0
                  • I can get to studio with ANY account. That is the problem

                    0 0 0 0 0 0
                    • I assume that you just recently downloaded UNA platform, which means that you probably have very few or  maybe just less then 5 accounts cause your learning the platform and customizing it correct?

                      0 0 0 0 0 0
                      • You can also config membership levels by visiting user profiles and change membership like shown on the picture attached

                        0 0 0 0 0 0
                        • I am not able to reproduce this with my site. The studio is locked down to Admins and Operators only by default. 

                          So unless you changed something somehow, this should not be possible. For example, if you changed the value in Studio > Persons and switched the default member level to something other than Standard. 

                          Are you saying that all of your members have a "Studio" icon in the member menu? You are not testing this by "Create a new profile" using your Admin account are you?


                          0 0 0 0 0 0
                          • No incorrect, 

                            We are growing and will be past 1,500 accounts early next week. I need to get Studio locked down before someone changes all our settings.


                            0 0 0 0 0 0
                            • All my members had a Studio Icon visible in their profiles. I went and set that link to visible by Admin only.

                              Studio > Persons is set to "Standard" 

                              We created test accounts when we set the platform up, to test membership levels and enable different functionality at each level.

                              Would you know where I manage the setting on who has access to Studio? 

                              Our Suspended accounts can perform only one action, that is contact us. Yet they can still access Studio....


                              image_transcoder.php?o=bx_froala_image&h=2454&dpx=2&t=1573937960

                              0 0 0 0 0 0
                              • Have you tried what Chris suggested?

                                0 0 0 0 0 0
                                • Hi Will, yes. Tried what Chris suggested and replied above with more detail. 

                                  We upgraded from 9 to 10 and are currently on 10.1

                                  0 0 0 0 0 0
                                  • Looks like you have did some custom settings to your permissions. Unauthenticated users have 15 actions they can do????? I also see you created a new "Contributor" level as well. 

                                    Access to the Studio is done by "Role" level and not a permission. As you may have noticed, if you click any of the actions you will not see "Studio" anywhere. Anywho, not sure what you did but I would suggest going into your database via PhpMyAdmin or whatever you use to view it, and open up the sys_accounts table. You will see a "Role" column to the right of your users. Only the role of "3" (Admin/Operator) should have access to the Studio. 

                                    0 0 0 0 0 0
                                    • InPage  Try this to buy some time:

                                      Studio > Developer > [pick a module / Accounts in picture] > Settings > Visibility

                                      Verify the Visibility is set for only Admin & Moderator, if so already, try removing Moderator and leave only Admin selected.

                                      image_transcoder.php?o=bx_froala_image&h=2456&dpx=1&t=1573961886

                                      0 0 0 0 0 0
                                      • For the record, can be completed in Pages module as well, it's not encouraged to make changes in Developer unless necessary.

                                        image_transcoder.php?o=bx_froala_image&h=2457&dpx=1&t=1573962274

                                        0 0 0 0 0 0
                                        • Thank you Chris, that is perfect advice. Found the problem and understand what caused the issue. I now have everyone off role "3" that should not have been on it. 

                                          I love UNA and the underlying functionality, I still need to understand it way better. 

                                          Thank you for your help.

                                          0 0 0 0 0 0
                                          • Thank you James

                                            0 0 0 0 0 0
                                            • Thank you James


                                              0 0 0 0 0 0
                                              • Glad you were able to resolve your problem

                                                0 0 0 0 0 0
                                                Not logged in users can't 'Comments Post'.
                                                11
                                                7
                                                1
                                                2
                                                3
                                                Added:
                                                Category:

                                                UNA - Social Media Software Framework

                                                Close