Update your EasyBlog's ACL

Update your EasyBlog's ACL

We have received numerous number of emails and forum posts stating that they are being hacked because user's were able to post and publish blog posts on the site. The team performed some code forensics and there wasn't any real way for anyone without access to publish blog posts on the site. The one and only way for users to do this is when they were given the access to do so. We managed to debug the affected sites and realized that it's just a simple case of bad configuration on the site.

What happened?

By default, Joomla will allow anyone to register on a site, using com_users. Registered users will be automatically set under the ACL group "Registered". EasyBlog 5, by default allows users in the ACL group "Registered" to have access to create and publish blog post. Putting these two default settings together, and you get users registering and spamming sites with unwanted posts.

Who's fault is this?

It's nobody's fault, actually. Joomla! by default allows anyone to register on your site under it's own User's extension (com_users), while EasyBlog by default allows registered users to be able to post and publish blog posts due to the fact that blogging component is different from social networking component; we rarely come across any blogging site that have an open registration such as a social networking site.

Is there a fix for this?

Yes there is. With the latest EasyBlog 5 release, by default the ACL settings for "Registered" group has very limited access. Site administrators will have to configure their ACL's accordingly in order to allow users to post on their site. Should you require any assistance pertaining to this, you can always refer to our ACL's documentation or contact our EasyBlog experts via EasyBlog's Official Forum.

Should you wish to get your hands dirty and set up your ACL by yourself, you can do so by first logging in to your backend and navigate to Component > EasyBlog > ACL.

b2ap3_thumbnail_ACL-1.png

From there, click on the ACL group "Registered" (or any other groups, depending on the setup of your site).

b2ap3_thumbnail_ACL-2.png

Set "Allowed to write new post" to "No", click "Save" and you are good to go!

The same concept applies to EasyBlog 3.9.x, navigate to Component > EasyBlog > ACL, click on the ACL group "Registered" and set "Write Entry" to "No".

b2ap3_thumbnail_ACL39-1.png

With the settings above, it ensures that those who are in the "Registered Group" (the default Joomla user group for registered users) will not be able to post any new post in your site.

I want to renew, but I'm worried

Should you have an active license, you are covered by our support policy. You are in good hands! We will assist you with anything related to our product, from deployment up to the configurations. All you have to do is drop us a message in our Official Support forum. Currently, the latest version of EasyBlog is EasyBlog 5.0.17. Just like any other software and application, we highly advice for you to stay in the loop and upgrade your EasyBlog to the latest version. Those who are holding a valid license can immediately download the latest version via your dashboard; while those who are holding a valid license will have to renew your license with us.

We are very serious when it comes to security, so you have absolutely nothing to worry about.

 

Comments (12)

Hi

I tried to update Easyblog to v 5.0.17 and could not by Installation via the Network I get error and then I tried the full com_easyblog_full_pro_5.0.17_joomla3.0 and get this error to contact you "Sorry, there was some errors when trying to extract the queries.zip file." Please contact our support team....see attachment
http://www.dreamhouses.com/easyblog/easyblog_17.jpg

rgsd

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    ssnobben

Hi, thank you for contacting us. Our comment section was not really built to provide technical support; would you be kind enough to share your issues in our official forum? Our team of expert will get back to you as soon as possible. Thank you for your kind patience and understanding.

  Attachments
Your account does not have privileges to view attachments in the comment
 

Ok did that now. Also is not the Latest blog modules responsive? The pic with the latest blogs module doesnt react responsive regarding the picture in my site...hmmm

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hey ssnobben,

The latest blogs module on 5.0.17 is responsive. You just need to configure the module to use full width for the image

P/S: You should use the forums for support inquiries

  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 2 years ago by Mark

ok support fix this for me now so it work as expected..

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks In the future, if you have support related inquiries, please do post them on our forums! We'll be glad to assist you!

  Attachments
Your account does not have privileges to view attachments in the comment
 

There is no logical reason the blog should default to allowing registered users to create and post blogs. This is just wrong and should not be a default setting, period! In my opinion while you say it is no ones fault I stand on reason that it is the developers fault. Take this as constructive criticism but there are a good many sites that allow user registration and never in the history of Joomla has a registered user had permission to write and post anything on a site they register on....

There is no logical reason the blog should default to allowing registered users to create and post blogs. This is just wrong and should not be a default setting, period! In my opinion while you say it is no ones fault I stand on reason that it is the developers fault. Take this as constructive criticism but there are a good many sites that allow user registration and never in the history of Joomla has a registered user had permission to write and post anything on a site they register on. Comment, yes of course... but to be able to write to and post on should have NEVER been a default option!

I strongly urge you to reconsider this choice and set registered users the way Joomla intended them to be by default and not the way they currently are in EasyBlog.

Read More
  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 1 year ago by Kevin Morrison
  1.    Kevin Morrison

Kevin,

In the last release of EasyBlog 3.9.x and the first release of EasyBlog 5.x, by default registered users no longer has the privileges to create and publish blog posts

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks Mark, that is great news... Thanks for taking care of this...

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Kevin Morrison

Not a problem Kevin, this is what we do best!

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hi, I have a little problem, when disabling write entry as explained in this article, I have a problem for Super Users or Publishers or even people with a best access rights and set to Yes, the publish button is disabled and post creation in front is refused, included the composer. Of course the logged user is Registered AND Super Admin but if Super Admin has the right to post, he could be able to... Any idea? Bug?

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hey Jean,

Kindly please write to our forums at http://stackideas.com/forums as the comments section here is not meant for a support tool

  Attachments
Your account does not have privileges to view attachments in the comment
 
There are no comments posted here yet

Subscribe To Our Blog

Subscribe to our blog by entering your email address:

Thanks! You have subscribed to our newsletter.

Some Updates On EasySocial 2.1

Friday, 28 July 2017 by Mark

Updates Available For All Products

Tuesday, 25 July 2017 by Sylvie

Introducing EasyArticles

Thursday, 25 May 2017 by Mark

Joomla 3.7.1 Security Release Available

Wednesday, 17 May 2017 by Mark

Echo Template Released

Tuesday, 24 January 2017 by Sylvie

ConverseKit 1.0.3

Friday, 20 January 2017 by Sylvie