CMS Made Simple Forums

If you post some news article with admin account on the website, the username is revealed on the website. As this is a big security issue, it would be better to replace the username with user’s last and first name.

1. Create a new user defined tag (Extensions -> User Defined Tags), call it realname and add the code shown below: This code will return user’s first and last name from the user account. It assumes that parameter user with user ID is provided for UDT.

2. In the admin console click on Content -> News and switch to the tab Summary Templates. Open your template for edit and search for the Smarty variable {$entry->author}. Replace the variable with the Smarty tag {realname user=$entry->author_id}. Save the template and see the changes on the website.

3. Do the second step with Detail Template as well.

Hi Sonya - this is a useful UDT, but only if the administrator's username is actually admin (which is never good security practice).  For administrators that have changed their username to any other name, it's not such a big issue.

Also, what if I don't want the real name of my user revealed?

How about a UDT that would follow this logic instead:
So that most articles would appear with the author's username, but if the username is "admin" (or whatever the name of the administrative user is), it gets replaced with a "proxy" name for purposes of displaying the News author.  The actual username wouldn't change, just the displayed name.

I think this could actually also be done easily in the News template, rather than by a separate UDT, since it's a simple replacement and no separate db query is required.

jmcgin51 wrote: this is a useful UDT, but only if the administrator's username is actually admin  (which is never good security practice).  For administrators that have changed their username to any other name, it's not such a big issue.

It does not matter what the administrator's username is. It IS a big security issue if you reveal a username whether it is admin, master or pussycat. Knowing the username means knowing the half of the login information. In this case the password alone should resist guessing and brute-force attacks.

jmcgin51 wrote: Also, what if I don't want the real name of my user revealed?

You do not need to store real name, use Micki Mouse or any other unreal nickname, but make it different to username.

jmcgin51 wrote: How about a UDT that would follow this logic instead:

Code: Select all

IF username == admin
  username = blah

This would only save the administrator login but what about other users that might have access to the admin console and publish news? It is even more dangerous to show their usernames as they are most unexperienced users with weak passwords.

Because most of the time there is only one editor involved, why not disable display of any name at all???

replytomk3 wrote: Because most of the time there is only one editor involved, why not disable display of any name at all???

This trick is useless for one editor installation. If there is only editor you can replace {$entry->author} with editor's name as simple text or delete it from the template completely.

OK, I misunderstood your original point.  Your original post said

Sonya wrote: If you post some news article with admin account on the website,

I read this to be referring to THE administrator account on the site, but I think you actually meant anyone with any kind of administrative privileges.

Sonya wrote: It does not matter what the administrator's username is. It IS a big security issue if you reveal a username whether it is admin, master or pussycat. Knowing the username means knowing the half of the login information. In this case the password alone should resist guessing and brute-force attacks.

Yes, I agree completely.

Sonya wrote: You do not need to store real name, use Micki Mouse or any other unreal nickname, but make it different to username.

For sites with multiple administrators/editors/etc, this would complicate user management.  If a username is "gs77123" and the stored real name is "Mickey Mouse", I have no idea who that user really is, unless I have yet another (separate) cross-reference.

Anyway, we're on the same page now - thanks for bringing me around!!

jmcgin51 wrote: OK, I misunderstood your original point.

Well, probably it were better if I have described the customer requirement

I have written this UDT for an organization website, where 3 persons publish news. One of them is as administrator of the website, the other two can only publish news. The website is an official website for the organization, so there is no need to hide real names of the news publishers. In contrary, they _want_ their real name to be associated with each news article posted on the website. Due to the restrictions applied to the username I am not able to save the full name of the user, e.g. Jürgen Schlößer. The name have some special German characters in it and, lgically, a space between first and last name.

The customer asked me: "What is the purpose of saving first and last name in the account information without the possibility to connect it to the news article?" I could not give an answer, but an UDT 

Great UDT. I have also always wondered why the username was shown as author.  Will use this.

Thanks Sonya!

Super easy Sonya! Thanks for sharing