BBC BASIC forum

Hated_moron

Soruk wrote: »

It's your forum, your server

That's not correct: it's my server but it's not my forum. It ceased to be my forum years ago when I passed the 'founder' attribute to DDRM, since then it's been his forum. If I'd wanted it to be my forum, I would have retained founder status.

if the database is damaged (which it is, if it's got the forum in a broken state) then any means necessary to repair it are fair game.

True, but the database isn't damaged and the forum isn't "broken". Yes it currently lacks an active admin, and that makes it vulnerable to spam posts etc., but it's working, and Patrick could resume active management at any time (I don't even know for sure that he hasn't).

This seems pretty clear-cut to me. The administrator of a server is not (necessarily) also the administrator of the services running on that server. In just the same way that I don't consider those who maintain Hostinger's server to be the 'owners' of my website, I am not the 'owner' of the forum.

To make any changes to the forum without the explicit permission of the founder would require a high bar to be passed, and I don't see that we can claim it has been.

Hated_moron

Hated_moron wrote: »

To make any changes to the forum without the explicit permission of the founder would require a high bar to be passed, and I don't see that we can claim it has been.

If we were sure that the current founder has 'abandoned' the forum that might be sufficient justification, but we're not, are we?

Soruk

Back here https://distillery.matrixnetwork.co.uk:3004/discussion/comment/952/#Comment_952 you mentioned he had resigned from the position. So on that basis I would say "ownership" would revert to you.

Hated_moron

Soruk wrote: »

Back here https://distillery.matrixnetwork.co.uk:3004/discussion/comment/952/#Comment_952 you mentioned he had resigned from the position. So on that basis I would say "ownership" would revert to you.

If only it was that simple!

I don't even know whether DDRM transferred founder status to Patrick or not. If he didn't, David of course retains 'ownership'; if he did, ownership remains with Patrick because strictly speaking the founder cannot 'resign'!

I've sought clarification on both these points, so that at least we know what the current situation is, but I've received no reply. In the absence of confirmation I'm not at all sure that there's anything that you or I can legally do.

Whether by design or by accident, I am completely stuck.

Soruk

You could use phpMyAdmin to look at the user table to see whether DDRM and/or Patrick still have the founder flag. That's not changing anything but you will have a clearer view of the "ownership" state.

Hated_moron

Soruk wrote: »

You could use phpMyAdmin to look at the user table to see whether DDRM and/or Patrick still have the founder flag.

Where can I find out how to do that? I presume I would need to discover their numeric User IDs and somehow interrogate the database to find their current 'user type' from that? Is it documented somewhere?

Soruk

If examining URLs is giving me sane answers, my user ID is 248, yours is 529 and Patrick is 51. DDRM appears to be deleted. (Can't see how a deleted user could be considered the owner.)

I don't think the layout is documented per se, I may have to spin up a copy of phpBB with a similar version to yours to see what I can figure out from the database layout.

Hated_moron

Soruk wrote: »

DDRM appears to be deleted.

That's not surprising, because he told me that he had deleted his account. But we also know that before doing so he created a 'backdoor' account to which he transferred founder status (he had no choice, because you can't delete the sole founder account).

It's more than likely that his 'backdoor' account has never made any posts to the forum, so you won't be able to find the User ID that way. What we really need is a reverse lookup: list all the accounts which have founder status. Do you think that is possible?

Can't see how a deleted user could be considered the owner.

I agree, but I think it's highly unlikely that David doesn't have any account at all. Unless he deleted his backdoor account as soon as Patrick agree to take over, it probably still exists. Whether it also has founder status I don't know, but I wouldn't be surprised.

Can you (or anybody else) see any reason not to delete the forum altogether? Since it went offline nobody has commented on it, nobody has contacted me to ask what's happened to it, nobody seems to care that the many years worth of archive it represents is no longer accessible.

In which case why are we even bothering? Just delete the whole caboodle and be done with it.

BigEd

I'm certain it's possible to interrogate the database to see which account is marked as founder. One can find out anything from the database - that's what phpbb works with after all. Similarly, anything which could be done from the forum can be done from the database, and if it's done carefully and with understanding, will be exactly as if it had been done from the forum.

Hated_moron

BigEd wrote: »

Similarly, anything which could be done from the forum can be done from the database, and if it's done carefully and with understanding, will be exactly as if it had been done from the forum.

In theory you are probably right, but phpBB themselves warn that attempting anything other than a trivial change has a high risk of 'bricking' the forum. The database itself doesn't ensure that the internal consistencies that are required for correct operation of the forum are maintained.

BigEd

Indeed so, but this is a warning against unskilled and uncareful changes. One can proceed in perfect safety, if one starts with a backup. And one would study the schema first, to understand what needs to be done. This wouldn't be a case of making try-and-see changes.

Hated_moron

BigEd wrote: »

One can proceed in perfect safety, if one starts with a backup. And one would study the schema first, to understand what needs to be done.

But who is this "one" of whom you speak? You? Michael? Somebody else?

I'm not going to be stupid enough to give unfettered access to my website, e.g. via SSH, to somebody I don't know and trust, so I don't understand how your proposal can be put into practice.

It's trusting Patrick more than perhaps I should that has got me into this mess in the first place!

BigEd

It seems most likely to me, for a successful outcome, that you'd give database access to Michael. No need to give full machine access, as far as I can tell.

Soruk

Would you be prepared to share a backup dump of the database, that way it can be examined without touching the live one?

Hated_moron

BigEd wrote: »

It seems most likely to me, for a successful outcome, that you'd give database access to Michael. No need to give full machine access, as far as I can tell.

So how is that achieved? I didn't know there was a way to do that.

Hated_moron

Soruk wrote: »

Would you be prepared to share a backup dump of the database, that way it can be examined without touching the live one?

The backups I listed previously (bearing in mind that they were done from the forum's admin interface, not from the database directly) are accessible from the limited FTP account that I created for DDRM and PM. I can email you the credentials of that account if you want them.

BigEd

Hated_moron wrote: »

...I've also got phpMyAdmin access, which has something to do with databases.

I'm taking this as meaning you have a phpMyAdmin username and password, which you could share with a trusted competent party, such as Michael. (I have exactly that kind of access, for another forum, and I use this access for occasional database administration. The owner of the site trusts me with that access.)

Soruk

Hated_moron wrote: »

Soruk wrote: »

Would you be prepared to share a backup dump of the database, that way it can be examined without touching the live one?

The backups I listed previously (bearing in mind that they were done from the forum's admin interface, not from the database directly) are accessible from the limited FTP account that I created for DDRM and PM. I can email you the credentials of that account if you want them.

Yes please. I can then spin up a MySQL instance to have a look around it, and there's zero risk to your live database.

Hated_moron

BigEd wrote: »

I'm taking this as meaning you have a phpMyAdmin username and password

I don't think I have a username and password for phpMyAdmin. I log into my web hosting account (which gives me access to everything) click on Databases... phpMyAdmin... Enter phpMyAdmin and I see this, it doesn't ask me for any more credentials:

BigEd

That's certainly the interface I'm familiar with. (I imagine there's a direct way to access it - if you can't discover it I suppose you'd need to ask support. I'm certain I don't have full access to the hosting of the forum where I do have phpMyAdmin access. For what it's worth, that forum is hosted at OVH.)

Hated_moron

BigEd wrote: »

I imagine there's a direct way to access it - if you can't discover it I suppose you'd need to ask support.

I found a direct link, which does indeed open a phpMyAdmin login page:



But as I never normally need to enter a password I think that means it's the same as the main web hosting login. What I can possibly do is to set the database password to something different, although I'm not sure what effect that might have on the straightforward way of accessing it from my web hosting control panel.

Edit: Are you absolutely certain that changing the database login credentials won't have any effect on the forum itself?

Soruk

Can you add a new user from your usual view, with SELECT (read-only) permissions on the phpBB database?

BigEd

Hated_moron wrote: »

But as I never normally need to enter a password I think that means it's the same as the main web hosting login.

No, I'd say most probably not. The phpbb instance has the username and password to access the database, and that's what you'd need at this screen. It looks like your provider's interface has a way of skipping that authorisation in your usual flow.

If you were to change the database password, you'd need to be sure the forum config has the new value. It might be that this is arranged by your provider's interface. Otherwise, you'd edit a config file. But I'm not sure there's any particular reason to change it.

Hated_moron

BigEd wrote: »

If you were to change the database password, you'd need to be sure the forum config has the new value.

OK, so we're stuck then (again). I'm not prepared to give you the main website password, which is what the database needs (and must therefore be what the forum knows) and as I can't safely change it to something else that appears to be that.

It's basically what I suspected all along: any attempt to hack the database is likely to brick the forum and leave us in a worse position than we are now. Since doing that would almost certainly be illegal anyway, I'm relieved that it's not practical.

I'll send Michael the FTP login credentials to see if he can do something with them.

Hated_moron

Soruk wrote: »

Can you add a new user from your usual view, with SELECT (read-only) permissions on the phpBB database?

I doubt it, but then I don't know what "view" or "SELECT" mean in this context! Creating a new user is likely to affect multiple parts of the database in ways that must be internally consistent.

What I've seen in the phpBB docs is that the only thing you can do with moderate safety is to promote or demote an existing user to a different privilege level. And even then you have to be careful if you're fiddling with the founder privilege.

If you can clone the database from a backup, it might be interesting to try to access it from a BBC BASIC program using the mysqllib library. At least that way you could write - and then give to me - a program which would do everything with minimal chance of 'human error'.

Hated_moron

Some progress: I've heard from DDRM and evidently he does still have admin access to the forum. So long as he is prepared to be cooperative, that should mean that hacking into the database isn't necessary.

Soruk

That is good news. Perhaps, if he doesn't want to remain running it on a day to day basis, he gives you admin (or at least moderator) access, that would solve many problems.

Hated_moron

Soruk wrote: »

That's a bit daft of him as all new users will need this. Basic (pun not intended) responsibilities of a forum admin that he should have been aware of when he took up the role

DDRM has today confirmed that admins don't necessarily have moderator privileges, and that indeed the way admin responsibility was transferred to Patrick he didn't (until today)! So that's one reason why he never approved my message - he couldn't!

Hated_moron

Hated_moron wrote: »

I don't even know whether DDRM transferred founder status to Patrick or not. If he didn't, David of course retains 'ownership'; if he did, ownership remains with Patrick because strictly speaking the founder cannot 'resign'!

I've sought clarification on both these points

I've now received some clarification from DDRM and he does still have admin access (whether as 'founder' I'm not sure).

Hated_moron

Soruk wrote: »

[If] he gives you admin (or at least moderator) access, that would solve many problems.

As I've previously explained, I don't want admin access as ceasing to be an admin was the whole point of transferring the forum to somebody else all that long time ago. Anyway, my health just isn't good enough to resume that responsibility.

I don't object to having moderator access (although ideally I'd like to have confirmation from one or more of those who were so upset about me being an admin that they are happy for me to) but that's really a decision for Patrick not David.