User Creation Permission

**Brandin** · 10-30-2016, 05:47 PM

Hi there,

I have modified the script so users with access to the User Management permission level can add users, but not delete. However, I'm running into the issue of, technically these users could create a user above their level, e.g. a system admin.

I have these permissions:
1 - CSR
2 - System Administrator (full access)
3 - Log Access
4 - User Management
5 - Manager

E.g. a CSR would only have CSR access
A Supervisor would have CSR, Log and User Management Access
A Manager would have CSR, Log, User and Manager access
A System Admin would have level 2 access (full)

A Supervisor should not be able to make a Manager and SA account.
A Manager should not be able to make a SA account.
SA can make an account for any level.

This would go for when they are editing a user too, they should not be able to assign levels above them.

Thanks in advance guys!

plb · 10-31-2016, 06:21 AM

Could you post a pastebin of the script as you have modified it?

**mudmin** · 10-31-2016, 12:11 PM

What makes this a little tricky is that user levels are not "levels" as in one is higher than another. Personally, if I were doing this, I would create the permission levels and then go into the database into the permissions level and give some space (like 5 or 10 between them) in case you ever have to add more levels. Do this BEFORE you start assigning all these permissions to pages. I would do

10 – CSR
20 – System Administrator (full access)
30 – Log Access
40 – User Management
50 – Manager

Then, the trick is going to be to go into the figuring out the HIGHEST level of permissions that a user has access to by their own user id (which is expressed as $user->data()->id).

I had a few minutes so I typed out the code (including var_dumps so you can see what each query is bringing back) and a drop down box at the bottom showing you the permission names (but still recording the ids). If you are writing your own thing to create new users I STRONGLY recommend you check out the code that does this on the backend in admin_users.php to see the other things that have to happen when you create a new user.
Here is the code on hastebin (which is probably easier to read)
http://hastebin.com/ricacecoja.xml

Code:
<?php

//get a list of the highest permission level your logged in user has...

Code:
$highestPermQ = $db->query("SELECT * FROM user_permission_matches WHERE user_id = ? ORDER BY permission_id DESC",array($user->data()->id));

Code:
$highestPerm = $highestPermQ->first();

Code:
dump($highestPerm);

//now you need to figure out what permissions they can use for their dropdown box or whatever.

Code:
$highest = $highestPerm->permission_id;

Code:
dump($highest); //This SHOULD give you the highest permission level they have

Code:
$availableQ = $db->query("SELECT * FROM permissions WHERE id !=2 AND id < ?",array($highest));

Code:
$available = $availableQ->results();

Code:
dump($available); //should show all ids below the one listed above but NOT admin (2)

Code:
?>

Code:
<div class="form-group">

Code:
<label for="gen_loc">Available user levels</label>

Code:
<select class="form-control" name="available" id="available" value=""required>

Code:
<?php foreach($available as $a){ ?>

Code:
<option value="<?=$a->id?>"><?=$a->name?></option>

Code:
<?php } ?></select>

Code:
</div>

**Brandin** · 10-31-2016, 01:21 PM

Thanks for your reply. The new page I made for user creation only is the same script that is in the admin_users.php page, just moved to a separate page. I didn't like it on the admin_users page. I will manually go in and modify the levels and leave room. Do you think an acceptable solution is to make it so the permission levels go in order, Highest being level 50 and Lowest being level 10? (or vice verse)?

Please advise of your thoughts.

**mudmin** · 10-31-2016, 01:29 PM

Either way is fine. The problem is that admin is stuck at 2 and you don't want to change it....Believe it or not, that's legacy from being able to upgrade usercake from probably a decade ago.

As long as you get your > or < right and make sure to exclude permission level 2, I don't see a problem either way. Also, I'm hoping you left the code on admin_users as it will get updated from time to time.

Best practice would be to change access to that page to something that only you have if you don't want people to ever visit that page. If you want people to be able to access that page, but you want to modify it, best practice is to copy the entire file (and admin_user) to the usersc folder and then change the path to the init to ../users/init

This will prevent our updates from breaking your code.

Note that if "real" users will have access to admin_users you can always add those two queries at the top of the page so users can only access people who are below them. The big issue there is that you have to make sure that people can do the same with admin_user or they will be able to just change the get variable and modify users above them.

**Brandin** · 10-31-2016, 01:32 PM

The reason for moving the Create Users to a different file was simply that I hated it being there. It is definitely a function I need and will use, as registration is disabled in my system, it's manual user creation only, but I did not want to have it on the admin_users page. I may go with your suggestion and move the entire thing over. I understand the permission level 2. Will it cause issues changing it to level 20 though instead of 2? Hmm... This seems like such a "smart" thing to do (restricting what users can create) but such a complicated thing.

I will see what I can figure out with the suggestions given.

**mudmin** · 10-31-2016, 01:37 PM

Yeah....I regret sticking it there and it will move in the future. It was a matter of convenience at the time. I would definitely copy it because you want to maintain future compatibility as much as possible.

I would be really careful about changing permission level 2. There are a few things in the system that are there for compatibility. For instance, the user with the id of 1 can get into anything regardless of "permission" level. I can't think of anything that 2 would break with the exception that if we push out updates with new pages, they're going to assume permission level 2. I'm fine with you trying it and seeing if anything breaks... if you do change it, make sure that no one is ever assigned level 2 then if we push something in the future, you won't have issues. You will be able to access it and no one else will until you make a change.

**mudmin** · 10-31-2016, 01:40 PM

Ahh. One more thought...since your users are going to have this pretty powerful feature, I would change line 111 of admin_users.php from

Code:
'account_owner' => 1,

to

Code:
'account_owner' => $user->data()->id,

This will give you a trail of who created each account. In the event that there is mischief, you will know the source of it.

**Brandin** · 10-31-2016, 02:20 PM

Mudmin,

By changing line 111, the account owner information, how can I track this? Where will this show up?

I have already built a log script into my system that tracks any changes I just had to add scripts in specific places.

Thank you.

**dan** · 10-31-2016, 02:23 PM

In this scenario painted every user will have the person who created them in the account owner column of the user table in the database

Login




Remember me Lost Password?