I use an index to call my pages and the premission doesn't work

The following warnings occurred:

Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)

File	Line	Function
/global.php(961) : eval()'d code	26	errorHandler->error
/global.php	961	eval
/printthread.php	16	require_once

I use an index to call my pages and the premission doesn't work - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Miscellaneous (https://userspice.com/forums/forumdisplay.php?fid=28)
+--- Forum: Documentation (https://userspice.com/forums/forumdisplay.php?fid=30)
+--- Thread: I use an index to call my pages and the premission doesn't work (/showthread.php?tid=507)

I use an index to call my pages and the premission doesn't work - kwix - 03-28-2017

Hi,

Im using an index page which is calling all the pages that i want. For exemple when i click on a lick my url is like

Code:
index.php?page=APage.php&projectName=name

As you can see im getting different parameters and when i set the page "APage.php" to private, it doesn't work, i still can access to the page.

Here a part of the code of my index.php

<div id="wrapper-wrapper">
<?php require("partials/nav.php"); ?>
<div id="page-wrapper" class="admin">
<?php
if (!isset($_GET['page'])){
require("pages/main.php");
}else{
if(isset($_GET['page']) && preg_match("/^[-a-z0-9_&]+$/i",$_GET['page'])){
$page=strtolower($_GET['page']);
if (file_exists("pages/$page.php")){
require ("pages/$page.php");
}else if(file_exists("admin/pages/$page.php")){
require ("admin/pages/$page.php");
}else{
require ("pages/404.php");
}
}else{
require ("pages/404.php");
}
}
?>
</div>
</div>

How can i use the permission without modifying all my php pages ?

Regards,

I use an index to call my pages and the premission doesn't work - JUG - 03-28-2017

Did you set permissions of these pages in admin dashboard?

Also, every page that you need to be secure must have init.php and secure_page lines somewhere.

I use an index to call my pages and the premission doesn't work - Brandin - 03-28-2017

If I recall correctly I also have issues where the master page e.g.

Code:
orders.php

would have a variable of

Code:
?type=daystats

and I would set a permission particular to daystats but not orders, and it would override the daystats permission and use the orders permission, I haven't looker deeper into it, just kinda ignored it. I will play around and see if I can find anything that might help.

I use an index to call my pages and the premission doesn't work - Brandin - 03-28-2017

I have the following page format to this situation:

Code:
usersc/report.php

Code:
usersc/includes/orderreport.php

Code:
usersc/includes/orders/bo.php

Code:
report.php

allows CSR (normal level 1 access)

Code:
orderreport.php

allows CSR (normal level 1 access)

However,

Code:
bo.php

allows System Admin (normal level 2 access), but I can still access this page as a CSR.

All three pages have init and the securePage query.

I'm thinking this is similar to your situation, kwix?

I use an index to call my pages and the premission doesn't work - kwix - 03-30-2017

Yes i did it jug.

@brandin : Yes I think its a bit similar but I have to modify all the code anyway, so I will try to correct that at the beginning.

I use an index to call my pages and the premission doesn't work - mudmin - 03-30-2017

Yeah. If you want userspice to restrict a page on its own, you need the securePage line on the each php page. Either way, that's good practice, and you can do a find/replace to probably make that happen pretty easily.

The other thing you can do (depending on how many permission levels you're using) is something along the lines of adding a permission restriction to your page calls. So, let's say you only want to let people with permission level 2,3,4 get those pages, you can do something like...

Code:
if(hasPerm([2,3,4]){

Code:
require ("admin/pages/$page.php");

Code:
}