Actually what I have so far in this system... Its really really nice =)...
Our GMs are currently using it and it features the following:
1. Fully functional GM login (from the account table).
2. Permissions are based upon status, in which you can CUSTOMIZE from the backend.
3. You specify what "groups" can see, read, modify, delete what, you specify what other groups can specify what you can, you specify what other groups can login, see players, see only GM's etc.
4. If you can see and modify a GM group, you can reset passwords, reset statuses, see characters (Working on editing characters atm) and much more.
This thing already has a ton of features and I'm only about 30% done with it... Its a pre-alpha right now, so if you want to help test it out, send me a pm, but I'm not publishing it just yet publically.
Also some security measures I took in this script to really drown any one whom might want to hack it =)...
I currently made one function that constantly checks for some values, and if any are true, the function runs a rutine that basically destroys (if any) session cookies (to log the user out), if they were logged in, it would reset their status to -2 (for banned), and would ban the IP address from the virtual host directory (in .htaccess).
So if you are an admin, make sure you aren't trying anything funny on the script, it has already locked me out once he he... but of course I was testing it too =P.
Basically here are a few things its looking for... Being the form only displays the values you can submit (like if your status is 100 and you are editing someone 80 as per defined by the admin) and if you submit the form for a higher value than what is allowed (like trying to submit a value of 150 in status) would kick in the HackerBurner function.
Attempts to use fake cookies to gain access would activate the function, and trying to access areas of the site you aren't supposed to be able to access.
I put an old Army Buddy tot he test the other day on a test box. I told him there was 20 dollars for him if he could break into the system without a ban within 10 mins...
It took him 14, however keep in mind hes a pro as well and would make VB or phpBB look like wet paper sacks when it comes to security lol =P.
So basically, the system has been locked down, it is functional... but there are a few other changes we will make before releasing it...
1. Characters and items will be editable from the web interface =).
2. Keys/Flags Skills, and AA's will also be manageable.
3. Full intergration of the petition system into this system.
4. Code Clean up... and make the HTML look half-way decent he he.
|