phpvms / phpvms_v2

Virtual Airline Management (not maintained)
http://www.phpvms.net
BSD 3-Clause "New" or "Revised" License
41 stars 46 forks source link

[URGENT] Permissions #80

Closed Oxymoron290 closed 11 years ago

Oxymoron290 commented 12 years ago

I'm not sure this is a bug, but in /admin/templates/pilots_groups.tpl on lines 26 and 43

it says PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN

shouldn't it be PilotGroups::group_has_perm(Auth::$usergroups, EDIT_GROUPS))

Oxymoron290 commented 12 years ago

I'm on v2.1.934-171-gbc02380 and YES, I have verified this is a bug, infact the entire group permissions part of the site is bugged, However, PilotGroups.class.php is fine and has no problems, the issue is that it never checks the user for permissions, the only time It actually checks is when the go to the admin panel and if they have access to the panel. However for example if I were to go to the admin panel and If I didn't have the EDIT_NEWS permission, the link does NOT show up, which is as expected, however if I were to put in the URL it would gladly take me there and do everything I would be able to do just as if I had FULL_ADMIN. right now I'm just going through each admin module and in all the public functions im doing a check for the permission. I'm even adding in a few to the core common classes corrosponding to those that are public but that is a bit more complicated because it isn't always required in the core common classes. Anyway I hope this helps and I see a security fix soon =) Thanks.

Oxymoron290 commented 12 years ago

Video demonstraighting the bug here. http://youtu.be/nCo5ovcb8tg

nabeelio commented 12 years ago

Hey, yeah, it basically just blocks the link. If you've fixed this in your copy, I'd appreciate a pull request, then I can merge it into the main project

nabeelio commented 12 years ago

The proper way to fix this is in core, to add a function that runs before every module, and then in the module, have a function that's called before load, which has the right permissions. This is how every other framework basically does it. I'll try to get to adding this soon, but I'm not sure if I want to it do it for 3.0, or also backport to the 2.x...

Oxymoron290 commented 12 years ago

I'm working on making one for a pull request, I couldn't actually let you pull our production script cause it's heavily modified. two maybe three days tops?

Oxymoron290 commented 12 years ago

also I'm thinking about having the module(Any module) initialize and declare a public variable 'public $perm = EDIT_NEWS;' for example, and have a core class check it, still deciding which core class would be best, any suggestions?

nabeelio commented 12 years ago

I can whip up the core module modifications tomorrow, it's something that's needed for the next version anyway. I think I will do it for 3.x only, what are your thoughts?

Oxymoron290 commented 12 years ago

Well how long until 3.x is available for stable release?

nabeelio commented 12 years ago

Not sure - but here's what I'll do. I'll make a new branch off of master for testing this, then I can merge it back into both. I'll need some help testing this for sure

Oxymoron290 commented 11 years ago

fixed in pull request #96

Vansers commented 11 years ago

We're missing the Add & Edit Fleet Link in the Admin. ;) Including a few links in the phpVMS Site & Settings link. ;)

Oxymoron290 commented 11 years ago

Verify you have the EDIT_FLEET permission, and verify you have the latest ./admin/templates/core_navigation.tpl