Control panel visible to users.
Posted:
Fri Mar 16, 2012 2:51 pm
by GrizBear
Hi Master Steve,
Just came across this scare.
As a user if I click on the following:
Under user name it shows my profile and change password.
When you click on my profile, you get a screen current record with two columns bids & details.
If you click on the user name underneath of bids, it gives you current record of that bid with details and
underneath the logged in as , you now have to option of the control panel. Which the user can access...
I hope this is not normal.....and is there a fix for this....
Thanks Master Steve
De GrizBear
Re: Control panel visible to users.
Posted:
Fri Mar 16, 2012 3:25 pm
by shannah
Here is a diff that shows how to fix this issue:
- Code: Select all
macbook:webauction-svn shannah$ svn diff -r 3424:3425 .
Index: tables/bids/bids.php
===================================================================
--- tables/bids/bids.php (revision 3424)
+++ tables/bids/bids.php (revision 3425)
@@ -12,8 +12,9 @@
*/
//if ( $record ) echo "Yes"; else echo "No";
//if ( $record and $record->val('username') ) echo "We have a username";
- if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) {
- $perms = Dataface_PermissionsTool::ALL();
+ if ( isAdmin() ) return null;
+ if ( $record and ($record->strval('username') == getUsername())) {
+ $perms = Dataface_PermissionsTool::getRolePermissions('EDIT');
} else {
$perms = Dataface_PermissionsTool::NO_ACCESS();
}
Re: Control panel visible to users.
Posted:
Fri Mar 16, 2012 5:05 pm
by GrizBear
shannah wrote:Here is a diff that shows how to fix this issue:
- Code: Select all
macbook:webauction-svn shannah$ svn diff -r 3424:3425 .
Index: tables/bids/bids.php
===================================================================
--- tables/bids/bids.php (revision 3424)
+++ tables/bids/bids.php (revision 3425)
@@ -12,8 +12,9 @@
*/
//if ( $record ) echo "Yes"; else echo "No";
//if ( $record and $record->val('username') ) echo "We have a username";
- if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) {
- $perms = Dataface_PermissionsTool::ALL();
+ if ( isAdmin() ) return null;
+ if ( $record and ($record->strval('username') == getUsername())) {
+ $perms = Dataface_PermissionsTool::getRolePermissions('EDIT');
} else {
$perms = Dataface_PermissionsTool::NO_ACCESS();
}
Thaks, however, I am lost on what to do with it!! I copied and pasted the info and it gave errors.
Sorry master..But where can i put this info, please????
Re: Control panel visible to users.
Posted:
Fri Mar 16, 2012 8:29 pm
by shannah
This means, in the file tables/bids/bids.php, change the lines:
- Code: Select all
if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) {
$perms = Dataface_PermissionsTool::ALL();
to
- Code: Select all
if ( isAdmin() ) return null;
if ( $record and ($record->strval('username') == getUsername())) {
$perms = Dataface_PermissionsTool::getRolePermissions('EDIT');