logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
ray22901031  
#1 Posted : Friday, October 30, 2020 9:00:38 PM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
This started originally under the post "Better admin security features and options", I know that Katie was going to have someone look at this, but I wanted to share with you my findings.

Here are some of the hiccups with the current security system, I am basing this analysis on the "order manager" admin user settings, which only should have rights for orders and nothing else. Of course this is based on the original "adminmenu.xml" from Ablecommerce.

#1. When you go into an order, and you click the more button on the right and you go to customer profile, you now have a breadcrumb trail on the top, this can take you directly into the user area.

#2. If you edit any order, you will see that the item description is hyperlinked, so if you click on that, you now able to edit and manipulate products.

The quick solution would be remove the breadcrumb, and to remove the hyperlink from the product description in the order.

I hope this helps

PS: I still would love to see this security area of ablecommerce revamped, extremely weak.

Edited by user Friday, October 30, 2020 9:01:27 PM(UTC)  | Reason: Not specified

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

shari  
#2 Posted : Monday, November 2, 2020 5:34:54 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Thanks for the details. Your explanations are always beneficial.

This is a known issue and we are already discussing this under this topic "Better admin security features and options".
Users browsing this topic
Guest (2)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.