How do I add another person as an hubzilla admin?

Thu, 24 Jan 2019 12:52:02 +0100

!Hubzilla Support Forum Once again a simple question, but neither docs nor google can help:

How do I add another person as an hubzilla admin?

TIA!

Imprint - Privacy Policy

show all 31 comments

Mario Vavti

Thu, 24 Jan 2019 13:18:14 +0100

I do not think there is a possibility for that in the frontend atm.
It is probably possible by changing the appropriate flags in the DB (untested)

Blechpirat

Thu, 24 Jan 2019 13:19:38 +0100

That would explain why there is nothing in the manual :)

Daniel

Thu, 24 Jan 2019 13:21:41 +0100

I believe the only way is to modify the database. Add 4096 to the user permission. Be sure to have a way to undo your changes, as that information comes from months old memory.

Blechpirat

Thu, 24 Jan 2019 13:23:23 +0100

I won't try that. At his point the hub is rather small and can wait a day or two if I'm offline. It really becomes relevant when the hub should grow...

Max Kostikov

Thu, 24 Jan 2019 13:47:07 +0100

I believe the only way is to modify the database. Add 4096 to the user permission.

+1 I didn't checked but this should works.

Harald Eilertsen

Thu, 24 Jan 2019 14:08:17 +0100

This would be a nice thing to have in the UI.

Tanja

Thu, 24 Jan 2019 14:13:13 +0100

@Harald Eilertsen Agreed. I did it in the database, and it worked, but a simple setting on the admin page would be nice.

M. Dent

Thu, 24 Jan 2019 14:32:56 +0100

The lack of a "simple setting" I think is intentional. Admin gives great power - the idea is, make absolutely certain it's worth the pain to give that person that power. Also, this prohibits the possibility of someone hacking an admin account and simply giving another user admin over your entire hub making them a bit harder to track down/trace.

I'm in agreement with the general philosophy that really important things should be at least a little hard. It helps avoid mistakes - and forces the person who wants to do it to make sure they really want to do it. The difficulty and time involved may lead them to second guess themselves just enough to avoid doing something really stupid.

Tanja

Thu, 24 Jan 2019 14:46:02 +0100

@M. Dent Ok, if you put it that way, you have a point.

Harald Eilertsen

Thu, 24 Jan 2019 14:46:45 +0100

really important things should be at least a little hard. It helps avoid mistakes

Generally the conclusion is usually the opposite. It's more likely to make a mistake if something is difficult, than if it is easy. I don't think that's any different for Hubzilla than for the rest of the world.

Markku Raitisoja

Felucia, Thu, 24 Jan 2019 16:04:23 +0100

This could be also done in CLI if there would be interface there.
example:
util/make_admin <username>
This way you need access to actual server to do it

===This has been posted from Make's HUB===

h.EAR.t

Thu, 24 Jan 2019 16:09:06 +0100

Suggestion:
"Hide" it behind an "enable dangerous actions"
I very much see both arguments as very valid.

Blechpirat

Thu, 24 Jan 2019 16:37:40 +0100

I'm in agreement with the general philosophy that really important things should be at least a little hard.

Even if you assume this as true, it should be documented somewhere. At this point you can't google the information... which forces people like me to ask dumb questions here :)

Harald Eilertsen

Thu, 24 Jan 2019 16:53:09 +0100

Both a CLI tool, and "enable dangerous actions" are good suggestions imo. As long as there is a documented and tested way of doing it. One argument for having it in the UI is that it may make it easier to see other users with admin privileges. If you manually have to inspect the db or run a command line tool, it may be less obvious who has this privilege.

h.EAR.t

Thu, 24 Jan 2019 18:57:44 +0100

I have just written a short and quick article howto. As soon as the clone syncs it will be at
https://zotlabs.org/articles/zotlabs

Stefan Holzhauer

Fri, 25 Jan 2019 08:46:44 +0100 last edited: Fri, 25 Jan 2019 13:11:41 +0100

I agree that this should be an option in the backend. Almost every other similar software I know has the option to add a user to the access or user group admin.

The implications should be clear to everyone who runs something like hubzilla, non-techies are not even able to install the thing, so I see no problem. Of course you can add a warning, but nevertheless. Ease of use is one of the main causes prohibiting more people using Hubzilla atm in my opinion.

Fraengii

Fri, 25 Jan 2019 11:13:19 +0100

What about creating an admin account which is used for administrative things by those who are the administrators?

Markku Raitisoja

Kamino, Fri, 25 Jan 2019 11:48:04 +0100

What about creating an admin account which is used for administrative things by those who are the administrators?

You mean shared account?

===This has been posted from Make's HUB===

Fraengii

Fri, 25 Jan 2019 12:27:47 +0100 last edited: Fri, 25 Jan 2019 12:28:58 +0100

Yes, one account for all administrators. I think if two people share the responsibility for the same hub they could also share an account.
But I don't know what's happening when both are using the account at the same time.

Markku Raitisoja

Mygeeto, Fri, 25 Jan 2019 12:46:00 +0100

I wouldn't recommend the shared account, because then the audit trail is lost.
Now that I think of it, CLI option also usually goes with direct SQL credentials and the trail is lost there also.
I take my suggestion about CLI back

===This has been posted from Make's HUB===

Daniel

Fri, 25 Jan 2019 15:35:41 +0100

@Markku Raitisoja Once you got access to the CLI you've got full access to hubzilla anyway.
Leaving an audit trail becomes optional at that point. Nothing would stop you from modifying the PHP files to give you admin or reading the database password and connecting to the database directly.

Markku Raitisoja

Mustafar, Fri, 25 Jan 2019 15:39:11 +0100

@Daniel That's true.

===This has been posted from Make's HUB===

Fraengii

Fri, 25 Jan 2019 16:44:19 +0100

Sorry, stupid question: What is the audit trail?

Fraengii

Fri, 25 Jan 2019 16:47:31 +0100

However, I think if there are more than one person administrating a hub it is more a social than a technical problem or question. A problem of communication.

Daniel

Fri, 25 Jan 2019 17:18:54 +0100

@Fraengii An audit trail would be a log that records all security relevant information, e.g. who logged in when from where and changed which settings or permissions.
If you've got enough permissions to modify the file used to record that information, then leaving the information that you changed something becomes optional, as you can just restore the file to an older version that does not contain that information. You just need to know enough to remove all the traces.

Harald Eilertsen

Fri, 25 Jan 2019 19:34:18 +0100

A sane OS can do fairly decent auditing of who does what even with a command line interface, so I don't see that as a problem. Giving access to the hubzilla user on the system does not have to give access to modify the audit logs.

Fraengii

Sat, 26 Jan 2019 11:03:32 +0100 last edited: Sat, 26 Jan 2019 14:29:52 +0100

Thanks, @Daniel , for the explanation.
Although it's indeed a intetessting thing to find a technical solution I still think that if somebody share the responsability for her or his hub to another person he or she would choose this person very careful.

But if I would like to have a admin partner by now it would be a problem because I wouldn't share my account which I use also for private things.
So how could we solve this problem?

Giacomino

Sat, 26 Jan 2019 16:25:32 +0100

cc @Aracnus

Marko_D

Tue, 29 Jan 2019 00:01:32 +0100

I believe the only way is to modify the database. Add 4096 to the user permission. Be sure to have a way to undo your changes, as that information comes from months old memory.

where/which table?

Daniel

Tue, 29 Jan 2019 14:02:46 +0100

I don't have access to my hub's database right now, but it should be easy to identify the table that contains the list of accounts on your hub. It might just be called accounts.
And the column was probably called flags or roles. Just look for the one that already has one row with a value > 4096.

Marko_D

Tue, 29 Jan 2019 19:13:06 +0100

I see, I researched inside the (empty) tabel users. Thanks