Virtuemart 3.0.10 ACL check fault in tables/userinfos.php

Started by Doeke Norg, October 07, 2015, 11:16:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Doeke Norg

October 07, 2015, 11:16:57 AM Last Edit: October 16, 2015, 12:24:01 PM by Doeke Norg
I have a custom component which creates and updates vm users programatically.
Recently I've added an install-script to my component which creates a usergroup and sets the ACL rights for different components including virtuemart.

Since I'm using ACL I've been getting an error "vm hacking attempt uid check". I've found that every manager-check includes a check for core.admin AND core.manage except for the userinfos.php table.
Of course I can upgrade the group-rights to core.admin for virtuemart, but i'm trying to keep virtuemart dummyproof. Granting admin-rights gives my users options they don't need to touch, and preferably never even see.

It's in the check-function, line 103:
Code Select

if(!$user->authorise('core.admin','com_virtuemart')){


which in my mind needs to be changed to:
Code Select

$manager = ($user->authorise('core.admin','com_virtuemart') or $user->authorise('core.manage','com_virtuemart'));
if(!$manager){


This check is done EVERYwhere, except here.

Milbo

#1
October 09, 2015, 08:42:24 AM
thank you, is replaced against the correct vmAccess manager, so far it looks like i found 120 location and missed the 121th location.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/
Print
Go Up Pages1
User actions