logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
ray22901031  
#1 Posted : Saturday, October 9, 2021 4:58:59 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
We have modified the "Order Admins" so my operators have access to the user section, but not the admin section under People. In order for my "Order Admins" to function properly they must have access to the customer database, whether it's to edit an existing customer by changing the password, adding an address, or even entering a new user, this is a must.

Unfortunately, once you have access to the "People" menu, and you click manage users, you have the ability to change the password of anyone that's higher than yourself. This is a major security flaw.

There are two ways I can think of fixing this.

#1. When trying to change a password, make sure unless you are a "Super Users", you're not allowed to change the password of any other Admin user.

#2. This would be my favorite, when clicking manage users, do not show any user that belongs to an "Admin Group" - Out of curiosity, where would one go to fix this?

Many thanks

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

shaharyar  
#2 Posted : Monday, October 11, 2021 4:26:48 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
By default, order admins don't have access to edit a user. Since you have modified the order admins access rights, you need to update the code to further achieve your requirements.

Quote:
#2. This would be my favorite, when clicking manage users, do not show any user that belongs to an "Admin Group" - Out of curiosity, where would one go to fix this?


There is a property that will filter the results. If you assign 'false' to this property, it will only display non-admin users.
Code:
model.UserSearchCriteria.LimitToAdminUsers = BitFieldState.False;


ray22901031  
#3 Posted : Monday, October 11, 2021 4:34:51 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Is this located in the user or people controller?

Thanks

Update: Is it line # 462 under PeopleController ?

Edited by user Monday, October 11, 2021 4:38:28 AM(UTC)  | Reason: Not specified

shaharyar  
#4 Posted : Monday, October 11, 2021 5:55:52 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Yes, controller is PeopleController.

But the line# you mentioned is in #ADMINS regions whereas an update is needed in the #USERS region. You will need to add the line of code to update the criteria.
ray22901031  
#5 Posted : Monday, October 11, 2021 7:31:37 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
But of course.

Since I'm still in my learning stages of C#, just to make sure, to do this properly copy the file to the custom directory under "Areas\Admin\Controllers", to follow MVC procedures.

This insert should be around line item #133.

Would this be correct?

Many thanks
shaharyar  
#6 Posted : Monday, October 11, 2021 8:16:29 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
This is not valid for the controllers. You have to update the existing controller code.
You can only override views by copying with the same hierarchy under themes folder.
ray22901031  
#7 Posted : Monday, October 11, 2021 8:18:40 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Definitely got the message when I tried to compile - thanks
ray22901031  
#8 Posted : Monday, October 11, 2021 9:46:44 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Thank you for your help, all is working fine. Don't you think this should be the default setting moving forward, after all why have two different places. Now, you have one for users and one for admin, why mix them?

Besides the confusion, this is a serious security risk, having a regular user lockout a superuser.

Just my thoughts.
-Ray
Users browsing this topic
Guest (4)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.