Control panel visible to users.

Archived from the Web Auction Discussion forum.

GrizBear — Fri Mar 16, 2012 2:51 pm

Hi Master Steve,
Just came across this scare.
As a user if I click on the following:
Under user name it shows my profile and change password.
When you click on my profile, you get a screen current record with two columns bids & details.
If you click on the user name underneath of bids, it gives you current record of that bid with details and
underneath the logged in as , you now have to option of the control panel. Which the user can access…

I hope this is not normal…..and is there a fix for this….

Thanks Master Steve

De GrizBear

shannah — Fri Mar 16, 2012 3:25 pm

Here is a diff that shows how to fix this issue:

Code: Select all: macbook:webauction-svn shannah$ svn diff -r 3424:3425 . Index: tables/bids/bids.php =================================================================== --- tables/bids/bids.php (revision 3424) +++ tables/bids/bids.php (revision 3425) @@ -12,8 +12,9 @@ */ //if ( $record ) echo "Yes"; else echo "No"; //if ( $record and $record->val('username') ) echo "We have a username"; - if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) { - $perms = Dataface_PermissionsTool::ALL(); + if ( isAdmin() ) return null; + if ( $record and ($record->strval('username') == getUsername())) { + $perms = Dataface_PermissionsTool::getRolePermissions('EDIT'); } else { $perms = Dataface_PermissionsTool::NO_ACCESS(); }

GrizBear — Fri Mar 16, 2012 5:05 pm

shannah wrote:Here is a diff that shows how to fix this issue:

Code: Select all

macbook:webauction-svn shannah$ svn diff -r 3424:3425 . Index: tables/bids/bids.php =================================================================== --- tables/bids/bids.php (revision 3424) +++ tables/bids/bids.php (revision 3425) @@ -12,8 +12,9 @@ */ //if ( $record ) echo "Yes"; else echo "No"; //if ( $record and $record->val('username') ) echo "We have a username"; - if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) { - $perms = Dataface_PermissionsTool::ALL(); + if ( isAdmin() ) return null; + if ( $record and ($record->strval('username') == getUsername())) { + $perms = Dataface_PermissionsTool::getRolePermissions('EDIT'); } else { $perms = Dataface_PermissionsTool::NO_ACCESS(); }

Thaks, however, I am lost on what to do with it!!
I copied and pasted the info and it gave errors.
Sorry master..But where can i put this info, please????

shannah — Fri Mar 16, 2012 8:29 pm

This means, in the file tables/bids/bids.php, change the lines:

Code: Select all: if ( isAdmin() or ( $record and ($record->strval('username') == getUsername()))) { $perms = Dataface_PermissionsTool::ALL();

Code: Select all: if ( isAdmin() ) return null; if ( $record and ($record->strval('username') == getUsername())) { $perms = Dataface_PermissionsTool::getRolePermissions('EDIT');