Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Skins, Themes, ...Skins, Themes, ...Install skin for ADMIN userInstall skin for ADMIN user
Previous
 
Next
New Post
9/23/2010 6:25 AM
 
Fabio Parigi


Joined: 4/22/2008
Posts: 162
is possible that an Admin user can upload skin?
Obviously NO in the v.5 but, is a workaround that you now?
I doesen't want update a host user, but i what that and amin can change their skin

thank
rmartin
 
New Post
9/23/2010 6:59 AM
 
Timo Breumelhof


Timo Breumelhof's Avatar

www.40fingers.net
Joined: 2/9/2006
Posts: 4430
AFAIK, there is no way around this but to create your own custom skin install module.
Please note that an admin who has skin upload rights can make himself host withing 10 seconds, which is why this was blocked.
 
New Post
9/23/2010 9:14 AM
 
Antony Slater


www.webpc.net
Joined: 9/21/2004
Posts: 499
Rino
I am also looking at ways to provide Admin users the ability to upload skin/container packages.  

Since the change preventing Admin users this functionality I am seeing a lot more site owners give out Host/Super User accounts just so their designers can upload the skin packages as its a usability issue.  This in itself defeats the reason for the change and IMO creates a bigger security nightmare.

My idea is for a module that provides the ability to upload a package whilst checking it for security issues. This way a site admin can provide a non admin user the functionality whilst not even providing them site admin rights.  This Granular control is much better than the current approach.

To develop such a module will cost would you be interested in contributing?

Antony
 
New Post
9/23/2010 10:46 AM
 
Timo Breumelhof


Timo Breumelhof's Avatar

www.40fingers.net
Joined: 2/9/2006
Posts: 4430
From a security perspective giving an Admin skin upload rights is the same as making the host.
(I created an example skin for myself once that writes the host PW to the page)
In the new situation you know a user with skin upload rights is a host user, there is no false security anymore.
That's why this was changed.
I must say I had expected someone to publish a skin upload module on codeplex by now, but AFAIK there isn't

A skin upload module with security check has been discussed too, but that's not that easy to if you want to make it really secure...
 
New Post
9/23/2010 11:41 AM
 
Antony Slater


www.webpc.net
Joined: 9/21/2004
Posts: 499
The module functionality would have security implications.  But it would be up to the Host to consider these and control who has access to the module.

The following are my current thoughts on functionality:

The solution I believe is a module that can be deployed by site administrators allowing users in roles administrators provide View permissions to, to upload skin/container packages that are checked for safety and can only be installed in the current portal.  The module should accept the types of skin packages that the current core module does (i.e html, ascx).  Ideally the module should be compatable with DotNetNuke versions 4.9.5 and up.

The difficult part is determining what is ‘safe’ as this will vary from site owner to site owner. Therefore, the module will have to provide the ability to provide a range of options which can only be configured on an install level by a Host user. Probably through another module only available to Host users.

The ‘safety’ configuration process would interrogate the current install for extensions and menu providers that can be used in skins uploaded through the upload module and present them as items to allow.  It would also provide the option to allow some of the functionality built into ASP.Net working in a way that if it’s not specifically allowed its excluded.  The super user selects which items they want to allow and saves the settings (using RegEx?). 

 
 Page 1 of 3
123Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Skins, Themes, ...Skins, Themes, ...Install skin for ADMIN userInstall skin for ADMIN user


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out