VERY IMPORTANT!
Hi!
I did upgrade of usepoints module, I upgrade userpoints module to latest 3... and then I add userpoints_contrib.
I enabled module role (assign role based on userpoints)
but found no settings when I can set which role can be assigned and how much points I can set for assign some role.
but - after this module part - role was eneabled, each user who did some actions with userpoints (create node e.g.)
get ALL roles on my page INCLUDE ADMIN ROLE.
till I add userpoint_contrib, I don't allow assign roles for userpoints (probably old module 1.x don't allow this at all) so I really understand why this works that way I found...
thanks
Igorik
http://www.somvprahe.sk
Comments
Comment #1
kbahey commentedThere should be a setting for each role where you can specify each role an how many points are needed to join that role.
This should be under admin/settings/userpoints
Comment #2
igorik commentedHi!
thanks for fast reply.
You are right, I disabled role module part as soon as I found that problem, so then I didn't see it in settings.
I enabled it for moment and I found that settings.
But there is zero in all role inputs so no role could be assigned.
BTW I forgot to write in my first message that I did upgrade from userpoints 1.x to the latest userpoints 3.5 + I added userpoints_contrib 5.x.3.x.
thanks for your effort
Igorik
Comment #3
shawtygotit01 commentedUm whats a role I dont get it
Comment #4
igorik commentedthe main problem is that it assigned ADMIN role to many users.
I am sure that it is a critical security bug, because I did no changes for role assing, just enabled role part of module.
there is zero in all role inputs, so it could assign no role.
Igorik
Comment #5
kbahey commentedCan you attach a screen shot of the settings page (the role part)?
Comment #6
michelleI had this happen to me as well when I tried userpoints_role a long time ago. Since it's been so long, I don't know if it's the same problem anymore, but I thought I'd mention that you're not alone. Luckily I have a small community and nice users and I don't think they noticed it before I did. I quickly disabled the module and haven't touched it since.
Michelle
Comment #7
igorik commentedhi
here it is
Comment #8
kbahey commentedChange the "points for role administrator" to a very high number, e.g. 999999999.
This way, no one will be able to join it.
Do the same for other roles that you do not want anyone to join.
For the other roles, set a threshold that is reasonable (e.g. 1000 or so).
Do not leave any role as 0. That was the problem.
Please close this issue if that does solve the problem for you.
Comment #9
jredding commentedhhmm. ya this should probably be fixed 0 should mean don't assign this role. If I get a chance this week I'll try to tackle this because its seems simple to fix yet so annoying.
Comment #10
michelle"Do not leave any role as 0. That was the problem."
Yes, that's what's dangerous. I installed the module along with a bunch of others, didn't get to configuring it, and suddenly a bunch of my users were admins. If you don't want 0 to turn it off, then it should default to 9999999999 or whatever the highest allowable number is in there. Otherwise, simply enabling the module puts your site in potential danger.
Michelle
Comment #11
kbahey commentedI made a modification to the module to ignore roles which have zero points.
It is attached to this comment. Replace the one you have with this one (and rename it from the .txt extension).
igorik, can you please install this version, set some roles to 0 and see if they are ignored?
Comment #12
igorik commentedHi
It works fine now. Thanks for it and for this great module.
Igorik
http://www.somvprahe.sk
Comment #13
kbahey commentedCommitted to 5.x-3.x.
Comment #14
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.