VirtueMart Forum

Hi all!

I'm currently using Joomla 2.5.20 and VirtueMart 2.6.6. I'm using the new permissions feature of VirtueMart, but the only way to edit a shopper is to be logged as a super admin.

Here's my config for now :
I created a joomla user group under the admin group. I gave it all acces exept "super Admin".
Then a remove permissions to every menu exept for VirtueMart.
I set all the persmissions in VirtueMart too.
Now the user can acces to everything is the virtuemart backend, but can't edit the shoppers. Everytimes I try to click on a shopper to edit it, it says "hacking attempt"

Anyone could help me with that?

Thanks!

Try including permissions for Joomla's User manager.

Hi,

Seems logical! But it doesn't solve the problem. Still got the "hacking attempt" message and I can't edit the shoppers.

Thanks for your help!

Some others suggestions, anyone? I can't figure out how to edit the shoppers without being a super admin.

Thanks!

Well, if you can't edit the shopper Via BE, then you can still edit them via phpmyadmin / MySQL access directly on the tables...

Of course I know that... And I can also edit the shopper with a Super Admin account. But the problem is that I NEED to be able to edit the shoppers in the back end with a "non super admin" user account.

The point is that some users will have to edit the shoppers and the products in virtuemart but I don't want them to have access to the Joomla backend. In short : The user group has to have access to everything in virtuemart, but nothing in joomla. So far, it's working for everything except for the shoppers edition.

Anyone? I really need that feature. I can't be alone.

Apparently not?

It isn't part of the VM "philosophy" to allow what you want so the only way you will acheive this is a core hack...

Well... I don't like to do core hack, but I don't really have the choice for now.

So here is the solution if anyone is interested :

In the file administrator/com_virtuemart/models/user.php, line 81. Simply remove (or comment) the condition that check the permissions, including the "if", "else" and the content in the "else" and it should work.

Nervermind, it's not working at 100%.

In the file mentioned in my last post, you have you edit all the "Permissions::getInstance()->check('admin')" condition that you found. Now it's partially working. I can edit the basic user info such username, mail, etc. but I can't edit the billing and shipping address. I don't have any error message but it's just not saving...

This is a serious bug and happens even in latest VM version 2.6.14

An administrator can't edit users, he is redirected to his own profile with the warning messages "hacking attempt"

All the permissions are correctly set up and works for everything except editing users.

A solution is more than welcome,

Currently only clicking this I show in the image will allow administrators to edit users but that will set permission to the administrator to change configuration etc, which of course is not the solution.

(http://s3.postimg.org/5ndp9dfz7/vmpermi.jpg)

Regards

vmtable.php around line 1425 in the function check... please replace the line

$admin = $admin = $user->authorise('core.admin','com_virtuemart') ;

with

$admin = $user->authorise('core.admin','com_virtuemart') || $user->authorise('core.manage','com_virtuemart') || $user->authorise('vm.user.edit','com_virtuemart');

Hi Milbo

The line I found is around line 886 in /administrator/components/com_virtuemart/helpers/vmtable.php:

$admin = $user->authorise('core.admin','com_virtuemart');

I replaced it with:

$admin = $user->authorise('core.admin','com_virtuemart') || $user->authorise('core.manage','com_virtuemart') || $user->authorise('vm.user.edit','com_virtuemart');

But had no effect in the issue, we still get the "hacking attempt"

Hi, lindapowers & Milbo

My VM version: 2.6.16

I have exactly the same problem: if user is not super admin but has permissions to access and edit shoppers in the backend, every time he tries to edit a shopper he gets a "hacking attempt" warning. Apart from that, the user edit screen that opens is always his own (instead of the user he selected to edit) and all fields except email, username and displayed name are blank.

I tried Jenkinhill's and Milbo's solutions, but to no avail.

I'm still looking into it... In the meantime, has anyone found a working solution yet?

Thanks!

Yako

This is not a solution, just a hint on where the problem might be.

In administrator/components/com_virtuemart/models/user.php there's a line that reads "if(Permissions::getInstance()->check("admin"))". If you disable this or set it to always evaluate to true, your non-admin user with permissions to see and edit shoppers won't get the "hacking attempt" warning and will be able to see any shopper's details. But he still won't be able to save the changes he makes.

As I said, it's not a solution, just a hint to see if it helps get anybody on track towards really solving the issue.

Yako

Hi, I had exactly the same annoying problem, but with Virtuemart 3.0.9.4 and Joomla 3.4.1.

I think I solved it by modding the following file:

   **yourJoomlaPath**/administrator/components/com_virtuemart/tables/userinfos.php

I replaced the line 104 with this one:

   if(!$user->authorise('core.admin','com_virtuemart') && !$user->authorise('vm.user.edit','com_virtuemart')){
         
with this mod, if an user has the permission "EDIT USERS" allowed, now he can save the changes in the backend even if he is not a SuperUser.

In a previous post an user said that this has not been implemented because it isn't part of the VM "philosophy"... But, honestly, I don't understand what he means... If you give a permission to an usergroup "MyGroupX" to EDIT USERS in the virtuemart backend, then normally you expect that an user in the usergroup "MyGroupX" should be able to edit users (except the superuser's account, of course)... This is necessary, for example, to assign a shopper to another shopper group without having to be a superadmin. I like to create a special administrative user that can access only to the necessary virtuemart options in the backend, so he cannot do much damage.

EDIT: I forgot to mention that for this to work the user has to be in the EDITOR user group too (but I don't know why...).

I solve it changing function return to true
in /administrator/components/com_virtuemart/helpers/permissions.php in

public function check($perms,$acl=0) at line 241 - VM2

Hi,
tHis is the best way to unsecure your shop admin access.
SImply change the main user ID in tools> migration, this most time solve the problem. If not then find another solution as this.

Regards,
Patrick

Quote from: ttigerwods on August 08, 2015, 21:34:43 PM
I solve it changing function return to true
in /administrator/components/com_virtuemart/helpers/permissions.php in

public function check($perms,$acl=0) at line 241 - VM2

Did someone manage to solve it?

Even in current version vm 3.010 seems impossible for administrators to edit users.