Closed Oxymoron290 closed 11 years ago
I'm on v2.1.934-171-gbc02380 and YES, I have verified this is a bug, infact the entire group permissions part of the site is bugged, However, PilotGroups.class.php is fine and has no problems, the issue is that it never checks the user for permissions, the only time It actually checks is when the go to the admin panel and if they have access to the panel. However for example if I were to go to the admin panel and If I didn't have the EDIT_NEWS permission, the link does NOT show up, which is as expected, however if I were to put in the URL it would gladly take me there and do everything I would be able to do just as if I had FULL_ADMIN. right now I'm just going through each admin module and in all the public functions im doing a check for the permission. I'm even adding in a few to the core common classes corrosponding to those that are public but that is a bit more complicated because it isn't always required in the core common classes. Anyway I hope this helps and I see a security fix soon =) Thanks.
Video demonstraighting the bug here. http://youtu.be/nCo5ovcb8tg
Hey, yeah, it basically just blocks the link. If you've fixed this in your copy, I'd appreciate a pull request, then I can merge it into the main project
The proper way to fix this is in core, to add a function that runs before every module, and then in the module, have a function that's called before load, which has the right permissions. This is how every other framework basically does it. I'll try to get to adding this soon, but I'm not sure if I want to it do it for 3.0, or also backport to the 2.x...
I'm working on making one for a pull request, I couldn't actually let you pull our production script cause it's heavily modified. two maybe three days tops?
also I'm thinking about having the module(Any module) initialize and declare a public variable 'public $perm = EDIT_NEWS;' for example, and have a core class check it, still deciding which core class would be best, any suggestions?
I can whip up the core module modifications tomorrow, it's something that's needed for the next version anyway. I think I will do it for 3.x only, what are your thoughts?
Well how long until 3.x is available for stable release?
Not sure - but here's what I'll do. I'll make a new branch off of master for testing this, then I can merge it back into both. I'll need some help testing this for sure
fixed in pull request #96
We're missing the Add & Edit Fleet Link in the Admin. ;) Including a few links in the phpVMS Site & Settings link. ;)
Verify you have the EDIT_FLEET permission, and verify you have the latest ./admin/templates/core_navigation.tpl
I'm not sure this is a bug, but in /admin/templates/pilots_groups.tpl on lines 26 and 43
it says PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN
shouldn't it be PilotGroups::group_has_perm(Auth::$usergroups, EDIT_GROUPS))