Can't edit user - hacking attempt

Khaostar · June 25, 2014, 17:49:20 PM

Hi all!

I'm currently using Joomla 2.5.20 and VirtueMart 2.6.6. I'm using the new permissions feature of VirtueMart, but the only way to edit a shopper is to be logged as a super admin.

Here's my config for now :
I created a joomla user group under the admin group. I gave it all acces exept "super Admin".
Then a remove permissions to every menu exept for VirtueMart.
I set all the persmissions in VirtueMart too.
Now the user can acces to everything is the virtuemart backend, but can't edit the shoppers. Everytimes I try to click on a shopper to edit it, it says "hacking attempt"

Anyone could help me with that?

Thanks!

jenkinhill · June 25, 2014, 18:02:27 PM

Try including permissions for Joomla's User manager.

Khaostar · June 25, 2014, 19:13:45 PM

Hi,

Seems logical! But it doesn't solve the problem. Still got the "hacking attempt" message and I can't edit the shoppers.

Thanks for your help!

Khaostar · June 26, 2014, 14:42:08 PM

Some others suggestions, anyone? I can't figure out how to edit the shoppers without being a super admin.

Thanks!

bluezeyes · June 29, 2014, 02:52:19 AM

Well, if you can't edit the shopper Via BE, then you can still edit them via phpmyadmin / MySQL access directly on the tables...

Khaostar · June 30, 2014, 16:39:39 PM

Of course I know that... And I can also edit the shopper with a Super Admin account. But the problem is that I NEED to be able to edit the shoppers in the back end with a "non super admin" user account.

The point is that some users will have to edit the shoppers and the products in virtuemart but I don't want them to have access to the Joomla backend. In short : The user group has to have access to everything in virtuemart, but nothing in joomla. So far, it's working for everything except for the shoppers edition.

Khaostar · July 03, 2014, 21:14:36 PM

Anyone? I really need that feature. I can't be alone.

AH · July 04, 2014, 10:08:07 AM

Apparently not?

GJC Web Design · July 04, 2014, 12:22:57 PM

It isn't part of the VM "philosophy" to allow what you want so the only way you will acheive this is a core hack...

Khaostar · July 04, 2014, 17:21:00 PM

Well... I don't like to do core hack, but I don't really have the choice for now.

So here is the solution if anyone is interested :

In the file administrator/com_virtuemart/models/user.php, line 81. Simply remove (or comment) the condition that check the permissions, including the "if", "else" and the content in the "else" and it should work.

Khaostar · July 04, 2014, 20:40:15 PM

Nervermind, it's not working at 100%.

In the file mentioned in my last post, you have you edit all the "Permissions::getInstance()->check('admin')" condition that you found. Now it's partially working. I can edit the basic user info such username, mail, etc. but I can't edit the billing and shipping address. I don't have any error message but it's just not saving...

lindapowers · January 12, 2015, 12:47:31 PM

This is a serious bug and happens even in latest VM version 2.6.14

An administrator can't edit users, he is redirected to his own profile with the warning messages "hacking attempt"

All the permissions are correctly set up and works for everything except editing users.

A solution is more than welcome,

Currently only clicking this I show in the image will allow administrators to edit users but that will set permission to the administrator to change configuration etc, which of course is not the solution.

Regards

Milbo · January 13, 2015, 21:24:29 PM

vmtable.php around line 1425 in the function check... please replace the line

$admin = $admin = $user->authorise('core.admin','com_virtuemart') ;

with

$admin = $user->authorise('core.admin','com_virtuemart') || $user->authorise('core.manage','com_virtuemart') || $user->authorise('vm.user.edit','com_virtuemart');

lindapowers · January 14, 2015, 11:55:49 AM

Hi Milbo

The line I found is around line 886 in /administrator/components/com_virtuemart/helpers/vmtable.php:

$admin = $user->authorise('core.admin','com_virtuemart');

I replaced it with:

$admin = $user->authorise('core.admin','com_virtuemart') || $user->authorise('core.manage','com_virtuemart') || $user->authorise('vm.user.edit','com_virtuemart');

But had no effect in the issue, we still get the "hacking attempt"

yako · May 13, 2015, 18:04:29 PM

Hi, lindapowers & Milbo

My VM version: 2.6.16

I have exactly the same problem: if user is not super admin but has permissions to access and edit shoppers in the backend, every time he tries to edit a shopper he gets a "hacking attempt" warning. Apart from that, the user edit screen that opens is always his own (instead of the user he selected to edit) and all fields except email, username and displayed name are blank.

I tried Jenkinhill's and Milbo's solutions, but to no avail.

I'm still looking into it... In the meantime, has anyone found a working solution yet?

Thanks!

Yako

News:

Can't edit user - hacking attempt