Text only | Text with Images

VirtueMart Forum

VirtueMart 2 + 3 + 4 => Virtuemart Development and bug reports => Topic started by: lindapowers on January 12, 2015, 21:31:55 PM

Title: Administrators can't view or edit users in backend - hacking attempt VM 3.0.10
Post by: lindapowers on January 12, 2015, 21:31:55 PM
Hi

Permissions works in all cases for administrators but not when editing or viewing users.

In this case the administrator will get prompted with a "hacking attempt" message and will be redirected to his own details.

Please note Im talking about administrators not super users, I believe that is why this bug may still be present since it was commented here http://forum.virtuemart.net/index.php?topic=124536.0

Regards

VirtueMart 2.6.14 Joomla! 2.5.25
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 2.6.14
Post by: lindapowers on January 20, 2015, 13:17:32 PM
Ill cry once more for this, our workers (administrators) can't edit users in the backed and that is a pain! We dont want to give them access to mess VM settings, please we need a solution for this,

Regards
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 2.6.14
Post by: Milbo on January 23, 2015, 21:47:44 PM
It is definitly fixed for vm3. I dont know why it does not work for you in vm2.6.14
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 2.6.14
Post by: lindapowers on February 05, 2015, 11:29:10 AM
Quote from: Milbo on January 23, 2015, 21:47:44 PM
It is definitly fixed for vm3. I dont know why it does not work for you in vm2.6.14

I think it doesn't work for anyone in VM 2.6.14, only a few mentioned it as I believe not much of us use administrators as vendors removing the super user privilege.

I tried in 3 different installations and happened the same but anyway ill wait till we update to VM3.

Regards
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 2.6.14
Post by: lindapowers on October 09, 2015, 01:47:32 AM
I've seen several topics relating to permission issues.


VM 3.0.10 now

Administrators can't edit user details in the backend:

Saving details will show:

Error

vmError: Hacking attempt uid check, you got logged

And changes wont be saved either.


We still have to give our administrators full access to configuration etc or they are not able to edit customer details in the backend.
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 3.0.10
Post by: Milbo on October 09, 2015, 08:27:52 AM
Seems you miss something http://docs.virtuemart.net/manual/general-concepts/185-administrative-frontend-access-with-acl.html

It is working very good for us and we use the system intensivly in our own live store.

Quote
vmError: Hacking attempt uid check, you got logged
And changes wont be saved either.
Of course not, you are recognised as hacker, it would be strange if it would update the data, even you are recognised as hacker.
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 3.0.10
Post by: lindapowers on October 12, 2015, 09:19:01 AM
Quote from: Milbo on October 09, 2015, 08:27:52 AM
Seems you miss something http://docs.virtuemart.net/manual/general-concepts/185-administrative-frontend-access-with-acl.html

It is working very good for us and we use the system intensivly in our own live store.

Quote
vmError: Hacking attempt uid check, you got logged
And changes wont be saved either.
Of course not, you are recognised as hacker, it would be strange if it would update the data, even you are recognised as hacker.

Hi Max thanks read documentation carefully but nothing changes, please check this post https://forum.virtuemart.net/index.php?topic=124536.0

I think the bug is present still.

Configure ACL & Options to "Denied" for an administrator wont allow him to edit shopper details, even with the "edit users" allowed.
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 3.0.10
Post by: lindapowers on October 19, 2015, 13:15:30 PM
Ok Max a developer fixed this for us and now is working. Please check it since this happens even in latest VM.


The fix is done in administrator/components/com_virtuemart/tables/userinfos.php

I copied you what he said and upload the file renamed to txt with the fixes for VM 3.0.11

He said he added a simple check for $user->authorise('vm.user.edit','com_virtuemart' which was missing

Quoteremove this lines
   if(!vmAccess::manager('core')){
    $q = "SELECT virtuemart_user_id
          FROM #__virtuemart_userinfos
          WHERE virtuemart_userinfo_id = ".$this->virtuemart_userinfo_id;
    $this->_db->setQuery($q);
    $total = $this->_db->loadColumn();

    if (count($total) > 0) {

     $userId = JFactory::getUser()->id;
     if($total[0]!=$userId){
      vmError('Hacking attempt uid check, you got logged');
      echo 'Hacking attempt uid check, you got logged';
      return false;
     }
    }
   }

and replace with

   if(!vmAccess::manager('core')){
    $user = JFactory::getUser();
    if(!$user->authorise('vm.user.edit','com_virtuemart') ) {
     $q = "SELECT virtuemart_user_id
           FROM #__virtuemart_userinfos
           WHERE virtuemart_userinfo_id = ".$this->virtuemart_userinfo_id;
     $this->_db->setQuery($q);
     $total = $this->_db->loadColumn();

     if (count($total) > 0) {

      $userId = $user->id;
      if($total[0]!=$userId){
       vmError('Hacking attempt uid check, you got logged');
       echo 'Hacking attempt uid check, you got logged';
       return false;
      }
     }
    }
   }
Title: Re: Administrators can't view or edit users in backend - hacking attempt VM 3.0.10
Post by: Milbo on October 19, 2015, 23:15:46 PM
Thank you,

should be then
Code Select

if(!vmAccess::manager('user.edit')){
.............
}


all $user->authorise is forbidden in vm code and vmAccess checks for admin automatically.

Text only | Text with Images