The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
I use an index to call my pages and the premission doesn't work
#1
Hi,

Im using an index page which is calling all the pages that i want. For exemple when i click on a lick my url is like
Code:
index.php?page=APage.php&projectName=name
As you can see im getting different parameters and when i set the page "APage.php" to private, it doesn't work, i still can access to the page.

Here a part of the code of my index.php

<div id="wrapper-wrapper">
<?php require("partials/nav.php"); ?>
<div id="page-wrapper" class="admin">
<?php
if (!isset($_GET['page'])){
require("pages/main.php");
}else{
if(isset($_GET['page']) && preg_match("/^[-a-z0-9_&]+$/i",$_GET['page'])){
$page=strtolower($_GET['page']);
if (file_exists("pages/$page.php")){
require ("pages/$page.php");
}else if(file_exists("admin/pages/$page.php")){
require ("admin/pages/$page.php");
}else{
require ("pages/404.php");
}
}else{
require ("pages/404.php");
}
}
?>
</div>
</div>


How can i use the permission without modifying all my php pages ?

Regards,
  Reply
#2
Did you set permissions of these pages in admin dashboard?

Also, every page that you need to be secure must have init.php and secure_page lines somewhere.
  Reply
#3
If I recall correctly I also have issues where the master page e.g.
Code:
orders.php
would have a variable of
Code:
?type=daystats
and I would set a permission particular to daystats but not orders, and it would override the daystats permission and use the orders permission, I haven't looker deeper into it, just kinda ignored it. I will play around and see if I can find anything that might help.
  Reply
#4
I have the following page format to this situation:
Code:
usersc/report.php
Code:
usersc/includes/orderreport.php
Code:
usersc/includes/orders/bo.php

Code:
report.php
allows CSR (normal level 1 access)
Code:
orderreport.php
allows CSR (normal level 1 access)

However,
Code:
bo.php
allows System Admin (normal level 2 access), but I can still access this page as a CSR.

All three pages have init and the securePage query.

I'm thinking this is similar to your situation, kwix?
  Reply
#5
Yes i did it jug.

@brandin : Yes I think its a bit similar but I have to modify all the code anyway, so I will try to correct that at the beginning.
  Reply
#6
Yeah. If you want userspice to restrict a page on its own, you need the securePage line on the each php page. Either way, that's good practice, and you can do a find/replace to probably make that happen pretty easily.

The other thing you can do (depending on how many permission levels you're using) is something along the lines of adding a permission restriction to your page calls. So, let's say you only want to let people with permission level 2,3,4 get those pages, you can do something like...

Code:
if(hasPerm([2,3,4]){
Code:
require ("admin/pages/$page.php");
Code:
}
  Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)