Anonymous Login
2019-04-18 03:51 PDT

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001284v3.0 Release[All Projects] Generalpublic2013-08-28 11:17
Reportercarlosazevedo 
Assigned Tocaseydk 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version3.0.0 
Summary0001284: FIX: Unworkable user permissions. Related to 0001237
DescriptionThis is a correction of a previous fix I posted. Hopefully now it works properly. Two problems are solved by this fix :

1. The permissions are not shown because the permission tests relating to the currently logged in user are done incorrectly. Previously worked only for individual files, with my previous fix only for modules.
2. The permission items that can be added to an user are not filtered by the permissions of the currently logged in user. So its possible to add a permission that is then not shown due to lack of permissions on the part of the logged in user. And therefore cannot be removed.

The fix involves the following changes to the 'vw_usr_perms.php' file in the 'admin' module directory:

    if (strpos($modName, 'Admin') === false && strpos($modName, 'All Modules') === false) {
        //non-admin modules
- $addToList = true;
+ $addToList = canView($module['value']) && canEdit($module['value']);
    } else {
        //admin module

...

                $group_data = $perms->get_group_data($group_id, 'axo');
                $modlist[] = $AppUI->_($group_data[3]);
            }
        }
+ $_canEdit = True;
+ $_canView = True;
        if (is_array($permission['axo'])) {
            foreach ($permission['axo'] as $key => $section) {
                foreach ($section as $id) {
                    $mod_data = $perms->get_object_full($id, $key, 1, 'axo');
                    if (is_numeric($mod_data['name'])) {
                        $module = $pgo_list[ucfirst($key)];
                        $q = new w2p_Database_Query();
                        $q->addTable($module['permissions_item_table']);
                        $q->addQuery($module['permissions_item_label']);
                        $q->addWhere($module['permissions_item_field'] . '=' . $mod_data['name']);
                        $data = $q->loadResult();
                        $q->clear();
                        $modlist[] = $AppUI->_(ucfirst($key)) . ': ' . w2PHTMLDecode($data);
+ if (!canView($mod_data['section_value'], $mod_data['value'])) {
+ $_canView = False;
+ }
+ if (!canEdit($mod_data['section_value'], $mod_data['value'])) {
+ $_canEdit = False;
+ }
                    } else {
                        $modlist[] = $AppUI->_(ucfirst($key)) . ': ' . w2PHTMLDecode($mod_data['name']);
+ if (!canView($mod_data['value'])) {
+ $_canView = False;
+ }
+ if (!canEdit($mod_data['value'])) {
+ $_canEdit = False;
+ }
                    }
                }
            }
        }
- if (!canView($mod_data['value'])) {
+ // This visibility test (and the edit permission below)
+ // serves to make sure that the user currently logged in
+ // (which may not be the one whose permissions are being edited)
+ // can view the permission item and/or edit it.
+ if (!$_canView) {
             continue;
           }
        $buf .= implode('
', $modlist);
        $buf .= '</td>';
        // Item information TODO: need to figure this one out.
        // $buf .= "<td></td>";
        // Type information.
        $buf .= '<td>';
        $perm_type = array();
        if (is_array($permission['aco'])) {
            foreach ($permission['aco'] as $key => $section) {
                foreach ($section as $value) {
                    $perm = $perms->get_object_full($value, $key, 1, 'aco');
                    $perm_type[] = $AppUI->_($perm['name']);
                }
            }
        }
        $buf .= implode('
', $perm_type);
        $buf .= '</td>';

        // Allow or deny
        $buf .= '<td>' . $AppUI->_($permission['allow'] ? 'allow' : 'deny') . '</td>';
        $buf .= '<td nowrap="nowrap">';
- $canDelete = (canEdit('users') && canEdit($mod_data['value']));
+ $canDelete = (canEdit('users') && $_canEdit);
        if ($canDelete) {
TagsNo tags attached.
Attached Files

-Relationships
related to 0001283closedcaseydk FIX: Permissions for an user are not shown on the 'View User' page 
related to 0001237closedcaseydk Not possible to delete assigned User Permission 
+Relationships

-Notes

~0002874

caseydk (administrator)

Are you familiar with pull requests? That would make these *way* easier to review and merge.

~0002877

carlosazevedo (reporter)

I wasn't familiar with Git nor GitHub. But since then I've done a temporary fork to include all the changes and fixes I've done and intend on doing a pull request once the codebase is stable (in terms of changes, not bugs).
We'll probably have to coordinate further since some of my changes include funcionality changes that I cannot drop but that may be configured through system options.

~0002890

GQQSER (reporter)

I still cannot see user permissions with these changes. I have rewrote this file several times using the latest from github, to no avail

~0002933

caseydk (administrator)

Resolved with some minor tweaks, full code here:
https://github.com/web2project/web2project/commit/112a100f9a814214f64c3f1ed6f0a399f54b98ea
+Notes

-Issue History
Date Modified Username Field Change
2013-03-06 06:52 carlosazevedo New Issue
2013-03-30 12:54 caseydk Note Added: 0002874
2013-04-01 00:55 carlosazevedo Note Added: 0002877
2013-04-30 13:21 GQQSER Note Added: 0002890
2013-06-02 23:37 caseydk Relationship added related to 0001283
2013-06-02 23:39 caseydk Relationship added related to 0001237
2013-06-02 23:47 caseydk Note Added: 0002933
2013-06-02 23:47 caseydk Status new => resolved
2013-06-02 23:47 caseydk Resolution open => fixed
2013-06-02 23:47 caseydk Assigned To => caseydk
2013-08-28 11:14 caseydk Fixed in Version => 3.0.0
2013-08-28 11:17 caseydk Status resolved => closed
+Issue History