logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error
Admin - Super Bug - Regular admin user can change the password of a Superuser
Options
Go to last post Go to first unread
Previous Topic Next Topic
ray22901031  
#1 Posted : Saturday, October 9, 2021 4:58:59 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
We have modified the "Order Admins" so my operators have access to the user section, but not the admin section under People. In order for my "Order Admins" to function properly they must have access to the customer database, whether it's to edit an existing customer by changing the password, adding an address, or even entering a new user, this is a must.

Unfortunately, once you have access to the "People" menu, and you click manage users, you have the ability to change the password of anyone that's higher than yourself. This is a major security flaw.

There are two ways I can think of fixing this.

#1. When trying to change a password, make sure unless you are a "Super Users", you're not allowed to change the password of any other Admin user.

#2. This would be my favorite, when clicking manage users, do not show any user that belongs to an "Admin Group" - Out of curiosity, where would one go to fix this?

Many thanks
Back to top

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.
Back to top  
shaharyar  
#2 Posted : Monday, October 11, 2021 4:26:48 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
By default, order admins don't have access to edit a user. Since you have modified the order admins access rights, you need to update the code to further achieve your requirements.

Quote:
#2. This would be my favorite, when clicking manage users, do not show any user that belongs to an "Admin Group" - Out of curiosity, where would one go to fix this?


There is a property that will filter the results. If you assign 'false' to this property, it will only display non-admin users.
Code:
model.UserSearchCriteria.LimitToAdminUsers = BitFieldState.False;
Back to top
ray22901031  
#3 Posted : Monday, October 11, 2021 4:34:51 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Is this located in the user or people controller?

Thanks

Update: Is it line # 462 under PeopleController ?

Edited by user Monday, October 11, 2021 4:38:28 AM(UTC)  | Reason: Not specified
Back to top
shaharyar  
#4 Posted : Monday, October 11, 2021 5:55:52 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Yes, controller is PeopleController.

But the line# you mentioned is in #ADMINS regions whereas an update is needed in the #USERS region. You will need to add the line of code to update the criteria.
Back to top
ray22901031  
#5 Posted : Monday, October 11, 2021 7:31:37 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
But of course.

Since I'm still in my learning stages of C#, just to make sure, to do this properly copy the file to the custom directory under "Areas\Admin\Controllers", to follow MVC procedures.

This insert should be around line item #133.

Would this be correct?

Many thanks
Back to top
shaharyar  
#6 Posted : Monday, October 11, 2021 8:16:29 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
This is not valid for the controllers. You have to update the existing controller code.
You can only override views by copying with the same hierarchy under themes folder.
Back to top
ray22901031  
#7 Posted : Monday, October 11, 2021 8:18:40 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Definitely got the message when I tried to compile - thanks
Back to top
ray22901031  
#8 Posted : Monday, October 11, 2021 9:46:44 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Thank you for your help, all is working fine. Don't you think this should be the default setting moving forward, after all why have two different places. Now, you have one for users and one for admin, why mix them?

Besides the confusion, this is a serious security risk, having a regular user lockout a superuser.

Just my thoughts.
-Ray
Back to top
Users browsing this topic
Guest (5)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Privacy Policy | Powered by YAF.NET 2.2.4.14 | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.145 seconds.