Deeper integration of user rights

jeroendesloovere's Avatar

jeroendesloovere

24 Sep, 2011 10:15 AM

I really want a deeper integration of the user rights in all existing modules.

f.e.:

  • I give the user the right to edit his profile, but I don't want him to edit his own rights. As for now this isn't possible. So a user with only a few rights can suddenly change its rights to admin, crazy!

  • I don't want the client to adapt a page-template, its not his job to do this.

  • ...

And a lot more rights need a closer look.

  1. Support Staff 1 Posted by tijs on 28 Sep, 2011 05:55 PM

    tijs's Avatar

    Jeroen,
    I see your problem, although the stuff is available in the database we didn't implement it right from the start.
    If you really want to, you can use the field "level" in the database to calculate the custom rights.

  2. 2 Posted by jeroendesloover... on 06 Oct, 2011 02:16 PM

    jeroendesloovere's Avatar

    What is the best way to implement custom actions in a module?

    F.e.: module form_builder
    I've added this:
    if(BackendAuthentication::isAllowedAction('data','form_builder')), so users can't click on "4 submissions".

    But how can I prevent them from directly accessing this page: (if they don't have the correct rights)
    private/nl/form_builder/data?token=true&id=1

    Should I place the
    if(BackendAuthentication::isAllowedAction('data','form_builder')) in the execute() of BackendFormBuilderData?

    or is there a better way to do this?
    It seems that the actions index, add, edit, delete don't have an if in their Action.php.

  3. Support Staff 3 Posted by tijs on 06 Oct, 2011 08:14 PM

    tijs's Avatar

    This is checked in url.php

  4. jeroendesloovere closed this discussion on 07 Oct, 2011 06:16 AM.

  5. jeroendesloovere re-opened this discussion on 07 Oct, 2011 06:17 AM

  6. 4 Posted by jeroendesloover... on 07 Oct, 2011 06:17 AM

    jeroendesloovere's Avatar

    Yep, found it! Great implementation!

  7. jeroendesloovere closed this discussion on 07 Oct, 2011 06:17 AM.

  8. jeroendesloovere re-opened this discussion on 24 Oct, 2011 01:42 PM

  9. 5 Posted by jeroendesloover... on 24 Oct, 2011 01:42 PM

    jeroendesloovere's Avatar

    I've commited some "right updates", but still no respond to these...

  10. Support Staff 6 Posted by tijs on 31 Oct, 2011 09:23 PM

    tijs's Avatar

    Jeroen, we will look into this matter in the future. We want to fix this at once for all modules.

  11. tijs closed this discussion on 31 Oct, 2011 09:23 PM.

  12. jeroendesloovere re-opened this discussion on 10 Apr, 2012 01:59 PM

  13. 7 Posted by jeroendesloover... on 10 Apr, 2012 01:59 PM

    jeroendesloovere's Avatar

    I see this feature request still isn't implemented.

    A user can change its password, and change his user rights to admin.
    Security breach first class***

  14. Support Staff 8 Posted by mlitn on 10 Apr, 2012 02:08 PM

    mlitn's Avatar

    Users can no longer change the password of other users - only exception is the God user (the one that installed the CMS) that will always have all permissions.

    I believe you're correct about the second one though, a user can always edit his own profile, part of which is the groups he belongs to.

  15. tijs closed this discussion on 07 May, 2012 09:04 PM.

  16. jeroendesloovere re-opened this discussion on 27 Jun, 2012 03:24 PM

  17. 9 Posted by jeroendesloover... on 27 Jun, 2012 03:24 PM

    jeroendesloovere's Avatar

    This BIG security issue still isn't fixed!

    When will there be looked into it?

  18. 10 Posted by jeroendesloover... on 27 Jun, 2012 03:39 PM

    jeroendesloovere's Avatar
  19. tijs closed this discussion on 28 Jul, 2012 12:11 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

11 Sep, 2019 09:58 AM
27 Jun, 2019 08:44 AM
18 Jun, 2019 05:37 PM
14 Jun, 2019 07:45 AM
02 Jun, 2019 03:33 PM

 

31 May, 2019 05:14 AM
10 Apr, 2019 10:27 AM
27 Mar, 2019 11:03 AM
26 Mar, 2019 08:10 PM
20 Mar, 2019 06:47 AM
12 Mar, 2019 12:19 AM