View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0001284 | v3.0 Release | [All Projects] General | public | 2013-03-06 06:52 | 2013-08-28 11:17 | ||||
Reporter | carlosazevedo | ||||||||
Assigned To | caseydk | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Product Version | |||||||||
Target Version | Fixed in Version | 3.0.0 | |||||||
Summary | 0001284: FIX: Unworkable user permissions. Related to 0001237 | ||||||||
Description | This is a correction of a previous fix I posted. Hopefully now it works properly. Two problems are solved by this fix : 1. The permissions are not shown because the permission tests relating to the currently logged in user are done incorrectly. Previously worked only for individual files, with my previous fix only for modules. 2. The permission items that can be added to an user are not filtered by the permissions of the currently logged in user. So its possible to add a permission that is then not shown due to lack of permissions on the part of the logged in user. And therefore cannot be removed. The fix involves the following changes to the 'vw_usr_perms.php' file in the 'admin' module directory: if (strpos($modName, 'Admin') === false && strpos($modName, 'All Modules') === false) { //non-admin modules - $addToList = true; + $addToList = canView($module['value']) && canEdit($module['value']); } else { //admin module ... $group_data = $perms->get_group_data($group_id, 'axo'); $modlist[] = $AppUI->_($group_data[3]); } } + $_canEdit = True; + $_canView = True; if (is_array($permission['axo'])) { foreach ($permission['axo'] as $key => $section) { foreach ($section as $id) { $mod_data = $perms->get_object_full($id, $key, 1, 'axo'); if (is_numeric($mod_data['name'])) { $module = $pgo_list[ucfirst($key)]; $q = new w2p_Database_Query(); $q->addTable($module['permissions_item_table']); $q->addQuery($module['permissions_item_label']); $q->addWhere($module['permissions_item_field'] . '=' . $mod_data['name']); $data = $q->loadResult(); $q->clear(); $modlist[] = $AppUI->_(ucfirst($key)) . ': ' . w2PHTMLDecode($data); + if (!canView($mod_data['section_value'], $mod_data['value'])) { + $_canView = False; + } + if (!canEdit($mod_data['section_value'], $mod_data['value'])) { + $_canEdit = False; + } } else { $modlist[] = $AppUI->_(ucfirst($key)) . ': ' . w2PHTMLDecode($mod_data['name']); + if (!canView($mod_data['value'])) { + $_canView = False; + } + if (!canEdit($mod_data['value'])) { + $_canEdit = False; + } } } } } - if (!canView($mod_data['value'])) { + // This visibility test (and the edit permission below) + // serves to make sure that the user currently logged in + // (which may not be the one whose permissions are being edited) + // can view the permission item and/or edit it. + if (!$_canView) { continue; } $buf .= implode(' ', $modlist); $buf .= '</td>'; // Item information TODO: need to figure this one out. // $buf .= "<td></td>"; // Type information. $buf .= '<td>'; $perm_type = array(); if (is_array($permission['aco'])) { foreach ($permission['aco'] as $key => $section) { foreach ($section as $value) { $perm = $perms->get_object_full($value, $key, 1, 'aco'); $perm_type[] = $AppUI->_($perm['name']); } } } $buf .= implode(' ', $perm_type); $buf .= '</td>'; // Allow or deny $buf .= '<td>' . $AppUI->_($permission['allow'] ? 'allow' : 'deny') . '</td>'; $buf .= '<td nowrap="nowrap">'; - $canDelete = (canEdit('users') && canEdit($mod_data['value'])); + $canDelete = (canEdit('users') && $_canEdit); if ($canDelete) { | ||||||||
Tags | No tags attached. | ||||||||
Attached Files |
|
![]() |
|||||||||||
|
![]() |
|
caseydk (administrator) 2013-03-30 12:54 |
Are you familiar with pull requests? That would make these *way* easier to review and merge. |
carlosazevedo (reporter) 2013-04-01 00:55 |
I wasn't familiar with Git nor GitHub. But since then I've done a temporary fork to include all the changes and fixes I've done and intend on doing a pull request once the codebase is stable (in terms of changes, not bugs). We'll probably have to coordinate further since some of my changes include funcionality changes that I cannot drop but that may be configured through system options. |
GQQSER (reporter) 2013-04-30 13:21 |
I still cannot see user permissions with these changes. I have rewrote this file several times using the latest from github, to no avail |
caseydk (administrator) 2013-06-02 23:47 |
Resolved with some minor tweaks, full code here: https://github.com/web2project/web2project/commit/112a100f9a814214f64c3f1ed6f0a399f54b98ea |
![]() |
|||
Date Modified | Username | Field | Change |
---|---|---|---|
2013-03-06 06:52 | carlosazevedo | New Issue | |
2013-03-30 12:54 | caseydk | Note Added: 0002874 | |
2013-04-01 00:55 | carlosazevedo | Note Added: 0002877 | |
2013-04-30 13:21 | GQQSER | Note Added: 0002890 | |
2013-06-02 23:37 | caseydk | Relationship added | related to 0001283 |
2013-06-02 23:39 | caseydk | Relationship added | related to 0001237 |
2013-06-02 23:47 | caseydk | Note Added: 0002933 | |
2013-06-02 23:47 | caseydk | Status | new => resolved |
2013-06-02 23:47 | caseydk | Resolution | open => fixed |
2013-06-02 23:47 | caseydk | Assigned To | => caseydk |
2013-08-28 11:14 | caseydk | Fixed in Version | => 3.0.0 |
2013-08-28 11:17 | caseydk | Status | resolved => closed |