+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: Admininstrator permission redirect error (/showthread.php?tid=557)
Admininstrator permission redirect error - Jeff - 05-04-2017
The default sql file creates two users:
User with id = 1 has a default administrator permission.
User with id = 2 has a default user permission.
This also corresponds with the default init.php setting for $master_account:
//adding more ids to this array allows people to access everything, whether offline or not. Use caution.
$master_account = [1];
Administrator status appears to be checked using two different methods:
'in_array($user->data()->id, $master_account)' : if user id is in the master_account array give administrator permission.
'(checkMenu(2,$user->data()->id))' using the checkMenu function : if userid has a permission level = 2 give administrator permission.
Problems occur when you give a userid permission = 2 (administrator) without also including the same userid in the master_account array.
For example:
For the default user with id = 2, add administrator permission AND delete user permission. This user now has administrator role in the permission table but does not have administrator permission in the master_account array.
When you try to login as user I/you get a page redirect error.
A quick fix for this error is to make this change to us_helpers.php
from:
//Check if user's permission levels allow access to page
if (checkPermission($pagePermissions)){
return true;
}elseif (in_array($user->data()->id, $master_account)){ //Grant access if master user
return true;
}else {
if (!$homepage = Config::get('homepage'))
$homepage = 'index.php';
$fields = array(
'user' => $user->data()->id,
'page' => $pageID,
'ip' => $ip,
);
$db->insert('audit',$fields);
require_once $abs_us_root.$us_url_root.'usersc/scripts/did_not_have_permission.php';
Redirect::to($homepage);
return false;
}
to:
//Check if user's permission levels allow access to page
if (checkPermission($pagePermissions)){
return true;
///////////////////////////////////////////////////////////////////////////////////////////
}elseif (checkMenu(2,$user->data()->id)){ //Grant access admin
return true;
///////////////////////////////////////////////////////////////////////////////////////////
}elseif (in_array($user->data()->id, $master_account)){ //Grant access if master user
return true;
}else {
if (!$homepage = Config::get('homepage'))
$homepage = 'index.php';
$fields = array(
'user' => $user->data()->id,
'page' => $pageID,
'ip' => $ip,
);
$db->insert('audit',$fields);
require_once $abs_us_root.$us_url_root.'usersc/scripts/did_not_have_permission.php';
Redirect::to($homepage);
return false;
}
However, I don't think this is the best fix.
What I think should happen is when you add administrator permission to a user, their userid should be added to the master_account array.
eg $master_account[] = 'userid'
and, when administrator permission is deleted from a user, the userid should be deleted from the master_account array.
eg $pos = array_search('userid', $master_account);
unset($master_account[$pos]);
However, this cannot be done since the master_account array is automatically reset to the default value in the init.php file '$master_account = [1];' when the program loads.