News:

Support the VirtueMart project and become a member

Main Menu

Can't edit user - hacking attempt

Started by Khaostar, June 25, 2014, 17:49:20 PM

Previous topic - Next topic

yako

This is not a solution, just a hint on where the problem might be.

In administrator/components/com_virtuemart/models/user.php there's a line that reads "if(Permissions::getInstance()->check("admin"))". If you disable this or set it to always evaluate to true, your non-admin user with permissions to see and edit shoppers won't get the "hacking attempt" warning and will be able to see any shopper's details. But he still won't be able to save the changes he makes.

As I said, it's not a solution, just a hint to see if it helps get anybody on track towards really solving the issue.

Yako

mgworld

#16
Hi, I had exactly the same annoying problem, but with Virtuemart 3.0.9.4 and Joomla 3.4.1.

I think I solved it by modding the following file:

   **yourJoomlaPath**/administrator/components/com_virtuemart/tables/userinfos.php

I replaced the line 104 with this one:

   if(!$user->authorise('core.admin','com_virtuemart') && !$user->authorise('vm.user.edit','com_virtuemart')){
         
with this mod, if an user has the permission "EDIT USERS" allowed, now he can save the changes in the backend even if he is not a SuperUser.

In a previous post an user said that this has not been implemented because it isn't part of the VM "philosophy"... But, honestly, I don't understand what he means... If you give a permission to an usergroup "MyGroupX" to EDIT USERS in the virtuemart backend, then normally you expect that an user in the usergroup "MyGroupX" should be able to edit users (except the superuser's account, of course)... This is necessary, for example, to assign a shopper to another shopper group without having to be a superadmin. I like to create a special administrative user that can access only to the necessary virtuemart options in the backend, so he cannot do much damage.

EDIT: I forgot to mention that for this to work the user has to be in the EDITOR user group too (but I don't know why...).

ttigerwods

I solve it changing function return to true
in /administrator/components/com_virtuemart/helpers/permissions.php in

public function check($perms,$acl=0) at line 241 - VM2

Studio 42

Hi,
tHis is the best way to unsecure your shop admin access.
SImply change the main user ID in tools> migration, this most time solve the problem. If not then find another solution as this.

Regards,
Patrick


Quote from: ttigerwods on August 08, 2015, 21:34:43 PM
I solve it changing function return to true
in /administrator/components/com_virtuemart/helpers/permissions.php in

public function check($perms,$acl=0) at line 241 - VM2

lindapowers

Did someone manage to solve it?

Even in current version vm 3.010 seems impossible for administrators to edit users.