The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Admininstrator permission redirect error
#1
The default sql file creates two users:

User with id = 1 has a default administrator permission.
User with id = 2 has a default user permission.

This also corresponds with the default init.php setting for $master_account:

//adding more ids to this array allows people to access everything, whether offline or not. Use caution.
$master_account = [1];


Administrator status appears to be checked using two different methods:

'in_array($user->data()->id, $master_account)' : if user id is in the master_account array give administrator permission.

'(checkMenu(2,$user->data()->id))' using the checkMenu function : if userid has a permission level = 2 give administrator permission.

Problems occur when you give a userid permission = 2 (administrator) without also including the same userid in the master_account array.

For example:

For the default user with id = 2, add administrator permission AND delete user permission. This user now has administrator role in the permission table but does not have administrator permission in the master_account array.
When you try to login as user I/you get a page redirect error.

A quick fix for this error is to make this change to us_helpers.php

from:

//Check if user's permission levels allow access to page
if (checkPermission($pagePermissions)){
return true;

}elseif (in_array($user->data()->id, $master_account)){ //Grant access if master user
return true;

}else {
if (!$homepage = Config::get('homepage'))
$homepage = 'index.php';
$fields = array(
'user' => $user->data()->id,
'page' => $pageID,
'ip' => $ip,
);
$db->insert('audit',$fields);
require_once $abs_us_root.$us_url_root.'usersc/scripts/did_not_have_permission.php';
Redirect::to($homepage);
return false;
}



to:

//Check if user's permission levels allow access to page
if (checkPermission($pagePermissions)){
return true;

///////////////////////////////////////////////////////////////////////////////////////////
}elseif (checkMenu(2,$user->data()->id)){ //Grant access admin
return true;
///////////////////////////////////////////////////////////////////////////////////////////


}elseif (in_array($user->data()->id, $master_account)){ //Grant access if master user
return true;

}else {
if (!$homepage = Config::get('homepage'))
$homepage = 'index.php';
$fields = array(
'user' => $user->data()->id,
'page' => $pageID,
'ip' => $ip,
);
$db->insert('audit',$fields);
require_once $abs_us_root.$us_url_root.'usersc/scripts/did_not_have_permission.php';
Redirect::to($homepage);
return false;
}



However, I don't think this is the best fix.

What I think should happen is when you add administrator permission to a user, their userid should be added to the master_account array.

eg $master_account[] = 'userid'

and, when administrator permission is deleted from a user, the userid should be deleted from the master_account array.

eg $pos = array_search('userid', $master_account);
unset($master_account[$pos]);

However, this cannot be done since the master_account array is automatically reset to the default value in the init.php file '$master_account = [1];' when the program loads.
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)