The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Is function checkPermission($permission) valid to use?
#1
I was getting ready to write a function to check if the current user had a given permission level and I came across this function on line 419 of us_helpers.php:

Code:
//Does user have permission
Code:
//This is the old school UserSpice Permission System
Code:
function checkPermission($permission) {

Does this "old school" mean I shouldn't be using it?

Is there an explanation anywhere about the whole permissions system without going through the video as it is coded? I want to treat "permissions" as the concept of groups from linux, but i'm not sure if I'm OK going that route or not...
  Reply
#2
Oh, I think I see. It's the funky $permission that is part of the old school system. I didn't look at that closely enough.

I've now re-written it as this: http://pastebin.com/xxPhL5GC

You can ignore this post except for the question about the whole permissions thing and whether it is equivalent to groups..

  Reply
#3
You can definitely treat permission levels as groups. They don't have to be segregated with one necessarily being higher than the other one. Another function called checkMenu essentially does the same thing if you want specific permission levels to see certain things.

I need to do a write up on the whole permission thing.

Essentially when you create a permission level, it gets and id. You can even see the id from the backend when you click on the permission.

When you add a page's visibility to a certain permission group, a new line is created in permission_page_matches in the database. That line has both the page id and the permission level id.

Finally, when you give a permission level to a user, there is a line added in the db table user_permission_matches with the user's id and the permission level.

So you basically have this triangle needed to access a page (user_id, permission_id, page_id).

So user 1 goes to a page... UserSpice looks up all the permission ids that are linked to that user_id. Then it looks at the page and sees what permission_ids are allowed to visit that page_id. If everything lines up, you're let in.

I hope that helps.

  Reply
#4
Thanks - that helps.
  Reply
#5
Hi,

I am strugling with the permissions thing, does not matter if the user has access or not, every single page is accesible without login in.

What am I missing?

Can someone point me in the direction of the function that checks for the permissions?

Is it possible it is missing from the pages I have written? (I used the template given)

Thanks

EDIT:

Found it, sorry.. the line

<?php if (!securePage($_SERVER['PHP_SELF'])){die();} ?>

was commented as
<?php //if (!securePage($_SERVER['PHP_SELF'])){die();} ?>
I think it was like that on the template
  Reply
#6
Whoa. You're absolutely right. That was a complete goof. Sometimes for dev purposes it will get commented out, but that one wasn't supposed to be released. My fault.

I've added it to the bugs and it will get fixed on release 4.1.5 on Monday.
  Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)