Permissions problems in Virtuemart 3.0.9 + Joomla 3.4.1

Started by mgworld, June 03, 2015, 11:47:07 AM

Previous topic - Next topic

mgworld

Hi, I think I found various bugs in the permissions management of Virtuemart.

This is the scenery: new fresh installation of joomla 3.4.1 and virtuemart 3.0.9. Sample data installed.

I want to allow a specific joomla user (named "shop") to manage "ONLY" virtuemart from the joomla backend, and to manage only the "NOT DANGEROUS" options, so I created a new User Group "Shop Managers" (with Public as group parent) and associated the new user "shop" to it.
I noticed that this user could not access to the backend, so I associated the new group "Shop Manager" I created to the "Special" Viewing Access Level and, in the "Admin Login" option inside the the Global Configuration Permissions section of joomla, I set "allowed" to my "shop" user. After that, the user "shop" could login to the backend, but I could not see virtuemart options, so I went again in the joomla "Global Configuration" section and changed the following permissions in the VirtueMart section (always for the user "shop"):

"Permissions" Tab:
------------------
Configure ACL & Options INHERITED
Access Admin. Interface ALLOWED
VM Manager              ALLOWED
Allow raw Input         ALLOWED
Allow HTML Input        ALLOWED

"Product Categories" Tab:
-------------------------
ALL ALLOWED

"Products" Tab:
---------------
All ALLOWED except "Custom Fields", "Edit Custom Fields", "Review & Ratings"

"Manufacturers" Tab:
--------------------
All ALLOWED except "Manufacturer categories".

"Orders & Shoppers" Tab:
------------------------
All ALLOWED.

"Shop" Tab:
-----------
All INHERITED except "Media files" (ALLOWED).

"Configuration" Tab:
--------------------
All INHERITED.



Now, when I login to the joomla backend with the new user "shop", I have the following problems:

1) In the "Taxes & Calculation Rules" section, in the top bar I see only the buttons EDIT and HELP, but there aren't anymore the buttons "Publish", "Unpublish", "New" and "Delete" that I see if I login to the backend as superuser.

2) Similarly as above, in the "Orders" section, I cannot see the Delete menu.

3) Similarly as above, in the "Shopper Group" section, I see only the "EDIT" and "HELP" button.

4) Similarly as above, in the "Coupons" section, I see only the HELP button.

5) I can click on the "Shop" option under the "SHOP" section, but I should not see that option, being that it's "not allowed" in the Calculated Setting of Global Configuration.

6) In the "Media Files" option under "SHOP" section, I see only the HELP button.


I tried on a remote Linux hosting and on a localhost linux machine and the result is exactly the same. Are these some bugs or there is something wrong in what I do?

mgworld

Hi, being that I'm not proficient with the Virtuemart source code, could someone address me to the relevant source files that are related to the display of the buttons in the top bar of the backend (with the buttons to edit, delete, create, etc.)? I could try to find the solution myself and post here the results.

Milbo

You need mainly the VM manger, then they can manage  from FE
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

mgworld

Hi Mibo, thank you for the answer, but how can I manage virtuemart from FE? Is there a special link?

EDIT: I think I managed to access to the FE, but then the graphics is all messed-up, like there were no more a template, and... Remain exactly the same problems as described in the first post: in many sections of the virtuemart FE there aren't anymore the buttons "Publish", "Unpublish", "New" and "Delete" that I see if I login as superuser.

Milbo

ehrm,  almost any view has a tab with settings for that.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

mgworld

Sorry Milbo, I don't know if I have understood what you mean, but, maybe I'm not able to explain well my problem... Let me do an example:

In the "Global Configuration" section of the joomla backend (VirtueMart section) I see only the following permission rules related to the Taxes:

- Taxes & Calculation Rules
- Edit Taxes and Calculation Rules

If I "allow" both the above rules for my "shop" user (which is not a superuser, as I described in the first post), then he will be able to see the "Taxes & Calculation Rules" option under the PRODUCTS section in the backend... That's nice, but the problem now is that in the top bar he can see only the buttons EDIT and HELP. The buttons "Publish", "Unpublish", "New" and "Delete" have disappeared (check the attached image)... Is there a rule to reenable these buttons for "not superuser" users too?

Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

mgworld

Quote from: Milbo on June 08, 2015, 13:07:55 PM
How does this behave in joomla 2.5?

I just tried on a clean new joomla 2.5.28 installation and the behaviour is exactly the same as in joomla 3.4.1  :-(

mgworld

What are the relevant source files to check for the user groups that are allowed to display the Virtuemart top buttons (Edit, Delete, New, Publish, Unpublish, etc.) in the top bar of the joomla backend? I could try to fix this problem...

Milbo

Thank you mgworld. I fixed it. (I hope), small thing actually. if you wanna help us

setup your svn and lets go http://dev.virtuemart.net/projects/virtuemart/wiki/Setting_up_a_Development_Environment
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

mgworld

Thanks! How do I update my existing virtuemart 3.0.9 installation to the 3.0.9.4 without losing previous data? I can just reinstall the file "com_virtuemart.3.0.9.4.zip" and "com_virtuemart.3.0.9.4_ext_aio.zip" from joomla Extension Manager?

Milbo

Always install over the existing installation (counts for "all" joomla extensions)
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

mgworld

Hi, I updated virtuemart but unfortunately the mod doesn't work yet... :(

As I described in the first post, I created an user named "shop" with limited permissions (he can access to the joomla backend but only to the virtuemart menu).

In the "Taxes & Calculation Rules" section, now my "shop" user (with permissions set as I described in the first post) can see the Publish and Unpublish buttons (before the update he could see only the Edit and Help buttons), but not yet the New and Delete buttons.

In the "Orders" section, the user "shop" doesn't see the Delete button.

In the "Coupons" section the user "shop" sees only the Help button.

The user "shop" sees the "Shop" menu, but it should not see it, being that I set "not allowed" in the Calculated Setting of Global Configuration for its group.

In the "Media Files" option under "SHOP" section, the user "shop" can see only the HELP button.


Milbo

Quote from: mgworld on June 12, 2015, 16:29:23 PM
Hi, I updated virtuemart but unfortunately the mod doesn't work yet... :(

....

In the "Taxes & Calculation Rules" section, now my "shop" user (with permissions set as I described in the first post) can see the Publish and Unpublish buttons (before the update he could see only the Edit and Help buttons), but not yet the New and Delete buttons.
I would say it you describe it now a lot more detailed. All what I did is to decide, that as long we do not have an ACL for publishing, it makes sense to show the publish/unpublish when you have the right to edit. The ACL system is something which will be enhanced slowly.

Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Orders" section, the user "shop" doesn't see the Delete button.

This is correct, only superadmins are meant todo that. Actually, you should avoid it anyway, it is not really legal, better is to use the "cancelled" state.

Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Coupons" section the user "shop" sees only the Help button.
I fear there is no ACL yet

Quote from: mgworld on June 12, 2015, 16:29:23 PM
The user "shop" sees the "Shop" menu, but it should not see it, being that I set "not allowed" in the Calculated Setting of Global Configuration for its group.
He can see the shop menu, but should not be able to change the config.

Quote from: mgworld on June 12, 2015, 16:29:23 PM
In the "Media Files" option under "SHOP" section, the user "shop" can see only the HELP button.
Check the settings.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/