Hi, I think I found various bugs in the permissions management of Virtuemart.
This is the scenery: new fresh installation of joomla 3.4.1 and virtuemart 3.0.9. Sample data installed.
I want to allow a specific joomla user (named "shop") to manage "ONLY" virtuemart from the joomla backend, and to manage only the "NOT DANGEROUS" options, so I created a new User Group "Shop Managers" (with Public as group parent) and associated the new user "shop" to it.
I noticed that this user could not access to the backend, so I associated the new group "Shop Manager" I created to the "Special" Viewing Access Level and, in the "Admin Login" option inside the the Global Configuration Permissions section of joomla, I set "allowed" to my "shop" user. After that, the user "shop" could login to the backend, but I could not see virtuemart options, so I went again in the joomla "Global Configuration" section and changed the following permissions in the VirtueMart section (always for the user "shop"):
"Permissions" Tab:
------------------
Configure ACL & Options INHERITED
Access Admin. Interface ALLOWED
VM Manager ALLOWED
Allow raw Input ALLOWED
Allow HTML Input ALLOWED
"Product Categories" Tab:
-------------------------
ALL ALLOWED
"Products" Tab:
---------------
All ALLOWED except "Custom Fields", "Edit Custom Fields", "Review & Ratings"
"Manufacturers" Tab:
--------------------
All ALLOWED except "Manufacturer categories".
"Orders & Shoppers" Tab:
------------------------
All ALLOWED.
"Shop" Tab:
-----------
All INHERITED except "Media files" (ALLOWED).
"Configuration" Tab:
--------------------
All INHERITED.
Now, when I login to the joomla backend with the new user "shop", I have the following problems:
1) In the "Taxes & Calculation Rules" section, in the top bar I see only the buttons EDIT and HELP, but there aren't anymore the buttons "Publish", "Unpublish", "New" and "Delete" that I see if I login to the backend as superuser.
2) Similarly as above, in the "Orders" section, I cannot see the Delete menu.
3) Similarly as above, in the "Shopper Group" section, I see only the "EDIT" and "HELP" button.
4) Similarly as above, in the "Coupons" section, I see only the HELP button.
5) I can click on the "Shop" option under the "SHOP" section, but I should not see that option, being that it's "not allowed" in the Calculated Setting of Global Configuration.
6) In the "Media Files" option under "SHOP" section, I see only the HELP button.
I tried on a remote Linux hosting and on a localhost linux machine and the result is exactly the same. Are these some bugs or there is something wrong in what I do?
Hi, being that I'm not proficient with the Virtuemart source code, could someone address me to the relevant source files that are related to the display of the buttons in the top bar of the backend (with the buttons to edit, delete, create, etc.)? I could try to find the solution myself and post here the results.
You need mainly the VM manger, then they can manage from FE
Hi Mibo, thank you for the answer, but how can I manage virtuemart from FE? Is there a special link?
EDIT: I think I managed to access to the FE, but then the graphics is all messed-up, like there were no more a template, and... Remain exactly the same problems as described in the first post: in many sections of the virtuemart FE there aren't anymore the buttons "Publish", "Unpublish", "New" and "Delete" that I see if I login as superuser.
ehrm, almost any view has a tab with settings for that.
Sorry Milbo, I don't know if I have understood what you mean, but, maybe I'm not able to explain well my problem... Let me do an example:
In the "Global Configuration" section of the joomla backend (VirtueMart section) I see only the following permission rules related to the Taxes:
- Taxes & Calculation Rules
- Edit Taxes and Calculation Rules
If I "allow" both the above rules for my "shop" user (which is not a superuser, as I described in the first post), then he will be able to see the "Taxes & Calculation Rules" option under the PRODUCTS section in the backend... That's nice, but the problem now is that in the top bar he can see only the buttons EDIT and HELP. The buttons "Publish", "Unpublish", "New" and "Delete" have disappeared (check the attached image)... Is there a rule to reenable these buttons for "not superuser" users too?
How does this behave in joomla 2.5?
Quote from: Milbo on June 08, 2015, 13:07:55 PM
How does this behave in joomla 2.5?
I just tried on a clean new joomla 2.5.28 installation and the behaviour is exactly the same as in joomla 3.4.1 :-(
What are the relevant source files to check for the user groups that are allowed to display the Virtuemart top buttons (Edit, Delete, New, Publish, Unpublish, etc.) in the top bar of the joomla backend? I could try to fix this problem...
Thank you mgworld. I fixed it. (I hope), small thing actually. if you wanna help us
setup your svn and lets go http://dev.virtuemart.net/projects/virtuemart/wiki/Setting_up_a_Development_Environment
fix is now here http://dev.virtuemart.net/projects/virtuemart/files vm3.0.9.4
Thanks! How do I update my existing virtuemart 3.0.9 installation to the 3.0.9.4 without losing previous data? I can just reinstall the file "com_virtuemart.3.0.9.4.zip" and "com_virtuemart.3.0.9.4_ext_aio.zip" from joomla Extension Manager?
Always install over the existing installation (counts for "all" joomla extensions)
Hi, I updated virtuemart but unfortunately the mod doesn't work yet... :(
As I described in the first post, I created an user named "shop" with limited permissions (he can access to the joomla backend but only to the virtuemart menu).
In the "Taxes & Calculation Rules" section, now my "shop" user (with permissions set as I described in the first post) can see the Publish and Unpublish buttons (before the update he could see only the Edit and Help buttons), but not yet the New and Delete buttons.
In the "Orders" section, the user "shop" doesn't see the Delete button.
In the "Coupons" section the user "shop" sees only the Help button.
The user "shop" sees the "Shop" menu, but it should not see it, being that I set "not allowed" in the Calculated Setting of Global Configuration for its group.
In the "Media Files" option under "SHOP" section, the user "shop" can see only the HELP button.
Quote from: mgworld on June 12, 2015, 16:29:23 PM
Hi, I updated virtuemart but unfortunately the mod doesn't work yet... :(
....
In the "Taxes & Calculation Rules" section, now my "shop" user (with permissions set as I described in the first post) can see the Publish and Unpublish buttons (before the update he could see only the Edit and Help buttons), but not yet the New and Delete buttons.
I would say it you describe it now a lot more detailed. All what I did is to decide, that as long we do not have an ACL for publishing, it makes sense to show the publish/unpublish when you have the right to edit. The ACL system is something which will be enhanced slowly.
Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Orders" section, the user "shop" doesn't see the Delete button.
This is correct, only superadmins are meant todo that. Actually, you should avoid it anyway, it is not really legal, better is to use the "cancelled" state.
Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Coupons" section the user "shop" sees only the Help button.
I fear there is no ACL yet
Quote from: mgworld on June 12, 2015, 16:29:23 PM
The user "shop" sees the "Shop" menu, but it should not see it, being that I set "not allowed" in the Calculated Setting of Global Configuration for its group.
He can see the shop menu, but should not be able to change the config.
Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Media Files" option under "SHOP" section, the user "shop" can see only the HELP button.
Check the settings.
Quote from: Milbo on June 12, 2015, 21:29:29 PM
I would say it you describe it now a lot more detailed. All what I did is to decide, that as long we do not have an ACL for publishing, it makes sense to show the publish/unpublish when you have the right to edit. The ACL system is something which will be enhanced slowly.
Ok, so I think it would make sense to implement another permission rule to "Create/delete Taxes & Calculation Rules", in addition to the "Edit Taxes and Calculation Rules".
Quote
Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Orders" section, the user "shop" doesn't see the Delete button.
This is correct, only superadmins are meant todo that. Actually, you should avoid it anyway, it is not really legal, better is to use the "cancelled" state.
Ok.
Quote
Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Coupons" section the user "shop" sees only the Help button.
I fear there is no ACL yet
Ok... In the meanwhile I think it should be better that the buttons to create/edit/delete coupons should be available for all the users that have the "Coupons" permission allowed, being that it doesn't make much sense that my "shop" user can see existing coupons but cannot create new ones.
Quote
Quote from: mgworld on June 12, 2015, 16:29:23 PM
The user "shop" sees the "Shop" menu, but it should not see it, beting that I set "not allowed" in the Calculated Setting of Global Configuration for its group.
He can see the shop menu, but should not be able to change the config.
Yes, I confirm he can see the menu but cannot change the config... Anyway I would prefer he could not see that menu at all (being that I selected "not allowed" in the relative permission settings).
Quote
Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Media Files" option under "SHOP" section, the user "shop" can see only the HELP button.
Check the settings.
Ok, you are right, this time I set "allowed" to the following rules in the Shop tab of the permission settings screen:
- Media Files
- Create
- Delete
- Edit
- Shipment Methods
- Payment Methods
Now, in the Media Files section, the user "shop" can see all the buttons in the top bar... Unfortunately this is not the case for "Shipment Methods" and "Payment Methods" (the "shop" user can see only "Clone payment" and "Help" buttons).
Another bug (I think) is the impossibility to save changes to other shoppers data, even though I set "allowed" to the permission "Edit users". This problem is described in here too: http://forum.virtuemart.net/index.php?topic=124536.15
As I described there, I modded the file
**yourJoomlaPath**/administrator/components/com_virtuemart/tables/userinfos.php
I replaced the line 104 with this one:
if(!$user->authorise('core.admin','com_virtuemart') && !$user->authorise('vm.user.edit','com_virtuemart')){
with this mod, if an user has the permission "EDIT USERS" allowed, now he can save the changes in the backend even if he is not a SuperUser.
Do you think this problem could be fixed in the next release of VM, or should I apply this mod manually after each VM upgrade? This fix is necessary to me because I created a special user (not superuser) that can access only to a selected group of VM backend options... For example he should be able to assign a different shopper group to a shopper, and without the fix he could do this only if it was a superuser.
EDIT: I forgot to mention that for this to work the user has to be in the EDITOR user group too (but I don't know why...).