logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
ray22901031  
#1 Posted : Tuesday, April 6, 2021 7:19:56 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
I know you guys have worked very hard on this update, but unfortunately, you have created a certain condition now with security that makes this software useless to us as is.

An order admin must have access to the user database, this is mandatory, you have removed this and it has now become a major problem for us.

One recommendation that comes to mind is to add a user admin group as well that will give order admin users access to the user database. Many times, operators will need to enter user information first before accepting an order.

Again I must voice my opinion on this topic, I love this software, but the security section is deplorable. You know it, everyone here knows it as well. I need a quick workaround please in order to rectify this issue.

Thank You

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

shaharyartiwana25816656  
#2 Posted : Tuesday, April 6, 2021 8:18:37 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Hi Ray,

I am unable to understand which of our changes in 9.0.4 causes this issue. Can you please help me out with this?

Was an admin user in the Order Admins group able to add a user in 9.0.3?

This page has information about our admin groups and permissions according to their roles. You can change the default configurations.
http://help.ablecommerce.../Admins/Admin_Groups.htm

Edited by user Tuesday, April 6, 2021 8:24:25 AM(UTC)  | Reason: Not specified

ray22901031  
#3 Posted : Tuesday, April 6, 2021 8:36:57 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
>>> Was an admin user in the Order Admins group able to add a user in 9.0.3? = YES

I will try to be as detailed as possible. This has to do under the admin group with the "order admin".

Under 9.0.3, an order admin still had access to the user database under the following conditions.

#1 - using the breadcrumbs which were listed on the upper right which have been removed under 9.0.4
#2 - going into an order and hitting customer profile which will take you to the user database

We were able under 9.03 to edit the "adminmenu.xml" file and restrict access to the menu on the left-hand side of the admin. We still gave our users access to the user database using the menu. But under 9.0.4, there is no way that a "order admin" can access the user database because they get kicked out.

The easiest way to fix this is to create a new user role called "user admin" that lets a member of this user group access the customer database. This would fix a large gap currently in the system. I know that to completely revamp the security section would be quite an undertaking, but I believe that by adding a new user role, that lets an admin access the user database, will go a long way.

This way I can create a custom admin group, in which both the "order admin" and the new role call "user admin" will be able to create new orders, create new customers, query existing customers to verify existing orders, query existing customers to verify past orders, and be in a better position to take care of customers when they call in on the phone.

Also, if the user doesn't have access to the catalog, why is there a hyperlink under the SKU names? It is very distracting, when users are manipulating orders to have your cursor highlight a product name, which of course my users will click on it and then take you to a completely different tab. Makes absolutely no sense whatsoever, if the user doesn't have access to the catalog in the first place, there should be no hyperlink as well.

Again, you guys have worked very hard, but I wear many hats, and one of them is dealing with customers, and this version now makes it very difficult to do so without major modifications by a developer, something I'm trying to avoid.

I hope I have explained it in the way that you could better understand.

Many thanks, please feel free to reach out if you have any additional questions. I am leaving now to the office and will not be back until 5:pm.
mazhar  
#4 Posted : Tuesday, April 6, 2021 9:52:15 AM(UTC)
mazhar

Rank: Administration

Groups: Admin, Administrators, HelpDesk, System, Authorized User, Developers, Registered
Joined: 10/5/2018(UTC)
Posts: 175

Thanks: 8 times
Was thanked: 17 time(s) in 15 post(s)
You can simply edit the /App_Data/adminbreadcrumb.xml and then update following item
Code:
<breadCrumb controller="People" action="Users" title="Users">

like
Code:
<breadCrumb controller="People" action="Users" title="Users" roles="Manage Orders">


It should restore the previous behavior for your order manager users.

Also, edit the /App_Data/adminmenu.xml file and then update the following items
Code:

<menuItem title="People" icon="fa fa-users" roles="System,Admin,Junior Admin" description="The People menu gives you access to the different types of people and groups that are in store.">
    <menuItem title="Users" controller="People" action="Index" roles="System,Admin" description="User management.">

like
Code:

<menuItem title="People" icon="fa fa-users" roles="System,Admin,Junior Admin,Manage Orders" description="The People menu gives you access to the different types of people and groups that are in store.">
    <menuItem title="Users" controller="People" action="Index" roles="System,Admin,Manage Orders" description="User management.">

Edited by user Tuesday, April 6, 2021 10:09:40 AM(UTC)  | Reason: Not specified

mazhar  
#5 Posted : Tuesday, April 6, 2021 10:11:12 AM(UTC)
mazhar

Rank: Administration

Groups: Admin, Administrators, HelpDesk, System, Authorized User, Developers, Registered
Joined: 10/5/2018(UTC)
Posts: 175

Thanks: 8 times
Was thanked: 17 time(s) in 15 post(s)
you can also update the adminmenu.xml and edit according to the access structure. please check the updates I made in the above post for the admin menu for the order admin role.
ray22901031  
#6 Posted : Tuesday, April 6, 2021 7:03:08 PM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
mazhar,

Thank you for your reply, I need to digest this a little bit further but I want to make sure that I get at least what you're trying to say.

It seems that modifying the adminmenu.xml modifies the view, and modifying adminbreadcrumb.xml will modify the behavior.

So even though I give them the ability through adminmenu.xml to have access to the user area, without modifying adminbreadcrumb.xml (which seems to be almost like the user rights file), they're not able to do anything unless both files are working together?

Would you say this is a correct statement?

Thanks


shaharyartiwana25816656  
#7 Posted : Wednesday, April 7, 2021 4:27:31 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Customer Profile link is redirecting to Edit User page so you have to give the "Manage Orders" access to Edit User entry in the adminbreadcrumbs file.
Also to enable breadcrumbs on Edit user page, you have to then give the same access to all the parent entries.

Hope this helps!
ray22901031  
#8 Posted : Wednesday, April 7, 2021 9:01:54 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Yes I am aware of this, but this is not the same behavior as 9.0.3 when it comes to the adminbreadcrumb.xml.

In other words, adminbreadcrumb.xml was never used on 9.0.3, we only had to modify adminmenu.xml to achieve our results. What we are experiencing under 9.0.4 is the following, adminmenu.xml modifies the menu structure on the left side of the admin backend, and in 9.0.3, that it's all that was needed. If the user could not see the link to click, he would not have access to it.

All were trying to do is understand the different behavior under 9.0.4, but were having difficulties communicating this to you. It seems that again, I refer back to my original statement.

adminmenu.xml - Gives you access to the location
adminbreadcrumb.xml - gives you the ability to modify after reaching the location

Were are just trying to understand this new behavior under 9.0.4

Please note this is extremely important to us as this is a make or break position with this platform.

We appreciate your due diligence on this, thanks.
shaharyartiwana25816656  
#9 Posted : Wednesday, April 7, 2021 12:52:06 PM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Hi Ray,

Please go through these two posts. You had identified the issue with our breadcrumb implementation. The users were having access to the part of admin using breadcrumbs where they shouldn't be allowed.
We, in 9.0.4, improved this section and added roles attribute in breadcrumb XML entries.

I would recommend you to please go through the following links and then we can discuss this issue further.

Thanks

https://www.ablecommerce...urrent-security-settings
https://www.ablecommerce...ity-features-and-options
ray22901031  
#10 Posted : Wednesday, April 7, 2021 1:59:51 PM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Exactly, I think now you're starting to get the point. Going over my previous post is not the issue here.

The adminbreadcrumb.xml is.

So let's go over this again, since the adminbreadcrumb.xml was not being used in 9.03 the way it's being used in 9.04.

Under 9.04 it is now a combination of both files, the adminbreadcrumb.xml and adminmenu.xml which must be edited in synchronization to restrict access to a user role. This is all I'm trying to identify here, so when I start to manipulate the security for our needs, we don't miss anything else.

Is this a correct statement?

Thank you

Edited by user Wednesday, April 7, 2021 2:00:23 PM(UTC)  | Reason: Not specified

shaharyartiwana25816656  
#11 Posted : Thursday, April 8, 2021 2:24:30 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
AdminBreadcrumb.xml:
Basically, this is used to render the breadcrumbs on the page to navigate to the related pages. In 9.0.4 we added roles attributes in XML entries and on the basis of these roles we restrict access to the pages. Because of this change, you were not able to access the user area for an order admin.

You can review the code added in CommerceBuilder.Web\Mvc\AbleAdminController.cs. Search the function OnActionExecuting() in this file.

AdminMenu.xml:
This file is only used for the rendering of the admin menu. We use the roles attribute in the XML entry to show/hide an admin menu.


It is not necessary to use both files in synchronization.
ray22901031  
#12 Posted : Thursday, April 8, 2021 6:01:49 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Thank you, this is the conclusion that I also came to, and we will examine the code in CommerceBuilder.Web\Mvc\AbleAdminController.cs.

>> It is not necessary to use both files in synchronization.

We have found it is better for us to hide options that an admin user does not have access to, it keeps the menu cleaner, and the operator doesn't feel that she's being limited or kept out of something. So it is important to us to use both files in synchronization, one to hide the option, and the other to prevent access to the option.

This is the point that I was trying to make and trying to verify.

The hyperlink under the SKU name which is being displayed on the order items, where in the code can I get rid of this completely or try to restricted it to a role?

Thanks Again
shaharyartiwana25816656  
#13 Posted : Thursday, April 8, 2021 6:56:25 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Quote:
The hyperlink under the SKU name which is being displayed on the order items, where in the code can I get rid of this completely or try to restricted it to a role?


Can you please share a screenshot of the location you are referring to.

Thanks
ray22901031  
#14 Posted : Thursday, April 8, 2021 11:49:16 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
AdminOrder.jpg (655kb) downloaded 4 time(s).

Thanks
shaharyartiwana25816656  
#15 Posted : Friday, April 9, 2021 2:29:27 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Please look for \Website\Areas\Admin\Views\Orders\_OrderItemDetail.cshtml

Line # 5
ray22901031  
#16 Posted : Friday, April 9, 2021 3:25:42 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Thank you very much, I was able to comment out the hyperlink.
Users browsing this topic
Guest (13)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.