Control panel visible to users.

A place to discuss and receive support for the Web Auction application.

Control panel visible to users.

Postby GrizBear » Fri Mar 16, 2012 2:51 pm

Hi Master Steve,
Just came across this scare.
As a user if I click on the following:
Under user name it shows my profile and change password.
When you click on my profile, you get a screen current record with two columns bids & details.
If you click on the user name underneath of bids, it gives you current record of that bid with details and
underneath the logged in as , you now have to option of the control panel. Which the user can access...

I hope this is not normal.....and is there a fix for this....

Thanks Master Steve

De GrizBear
Image
Klaus G Schulz, CPP-OCP
Greyhound Adoption Squad-Canada
www.t-legs.com

Not everyone needs a Greyhound,
But every retired racing Greyhound, needs someone....
GrizBear
 
Posts: 30
Joined: Thu Sep 02, 2010 3:15 pm
Location: Montreal, QC, CANADA

Re: Control panel visible to users.

Postby shannah » Fri Mar 16, 2012 3:25 pm

Here is a diff that shows how to fix this issue:
Code: Select all

macbook:webauction-svn shannah$ svn diff -r 3424:3425 .
Index: tables/bids/bids.php
===================================================================
--- tables/bids/bids.php   (revision 3424)
+++ tables/bids/bids.php   (revision 3425)
@@ -12,8 +12,9 @@
   */
      //if ( $record ) echo "Yes"; else echo "No";
      //if ( $record and $record->val('username') ) echo "We have a username";
-      if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) {
-         $perms = Dataface_PermissionsTool::ALL();
+      if ( isAdmin() ) return null;
+      if (  $record and ($record->strval('username') == getUsername())) {
+         $perms = Dataface_PermissionsTool::getRolePermissions('EDIT');
      } else {
         $perms = Dataface_PermissionsTool::NO_ACCESS();
      }
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Control panel visible to users.

Postby GrizBear » Fri Mar 16, 2012 5:05 pm

shannah wrote:Here is a diff that shows how to fix this issue:
Code: Select all

macbook:webauction-svn shannah$ svn diff -r 3424:3425 .
Index: tables/bids/bids.php
===================================================================
--- tables/bids/bids.php   (revision 3424)
+++ tables/bids/bids.php   (revision 3425)
@@ -12,8 +12,9 @@
   */
      //if ( $record ) echo "Yes"; else echo "No";
      //if ( $record and $record->val('username') ) echo "We have a username";
-      if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) {
-         $perms = Dataface_PermissionsTool::ALL();
+      if ( isAdmin() ) return null;
+      if (  $record and ($record->strval('username') == getUsername())) {
+         $perms = Dataface_PermissionsTool::getRolePermissions('EDIT');
      } else {
         $perms = Dataface_PermissionsTool::NO_ACCESS();
      }


Thaks, however, I am lost on what to do with it!!
I copied and pasted the info and it gave errors.
Sorry master..But where can i put this info, please????
Image
Klaus G Schulz, CPP-OCP
Greyhound Adoption Squad-Canada
www.t-legs.com

Not everyone needs a Greyhound,
But every retired racing Greyhound, needs someone....
GrizBear
 
Posts: 30
Joined: Thu Sep 02, 2010 3:15 pm
Location: Montreal, QC, CANADA

Re: Control panel visible to users.

Postby shannah » Fri Mar 16, 2012 8:29 pm

This means, in the file tables/bids/bids.php, change the lines:
Code: Select all
    if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) {
        $perms = Dataface_PermissionsTool::ALL();

to
Code: Select all
      if ( isAdmin() ) return null;
      if (  $record and ($record->strval('username') == getUsername())) {
         $perms = Dataface_PermissionsTool::getRolePermissions('EDIT');
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm


Return to Web Auction Discussion

Who is online

Users browsing this forum: Bing [Bot] and 2 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved