Administrators can't view or edit users in backend - hacking attempt VM 3.0.10

Started by lindapowers, January 12, 2015, 21:31:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

lindapowers

January 12, 2015, 21:31:55 PM Last Edit: October 09, 2015, 01:47:54 AM by lindapowers
Hi

Permissions works in all cases for administrators but not when editing or viewing users.

In this case the administrator will get prompted with a "hacking attempt" message and will be redirected to his own details.

Please note Im talking about administrators not super users, I believe that is why this bug may still be present since it was commented here http://forum.virtuemart.net/index.php?topic=124536.0

Regards

VirtueMart 2.6.14 Joomla! 2.5.25

lindapowers

#1
January 20, 2015, 13:17:32 PM
Ill cry once more for this, our workers (administrators) can't edit users in the backed and that is a pain! We dont want to give them access to mess VM settings, please we need a solution for this,

Regards

Milbo

#2
January 23, 2015, 21:47:44 PM
It is definitly fixed for vm3. I dont know why it does not work for you in vm2.6.14
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

lindapowers

#3
February 05, 2015, 11:29:10 AM
Quote from: Milbo on January 23, 2015, 21:47:44 PM
It is definitly fixed for vm3. I dont know why it does not work for you in vm2.6.14

I think it doesn't work for anyone in VM 2.6.14, only a few mentioned it as I believe not much of us use administrators as vendors removing the super user privilege.

I tried in 3 different installations and happened the same but anyway ill wait till we update to VM3.

Regards

lindapowers

#4
October 09, 2015, 01:47:32 AM
I've seen several topics relating to permission issues.


VM 3.0.10 now

Administrators can't edit user details in the backend:

Saving details will show:

Error

vmError: Hacking attempt uid check, you got logged

And changes wont be saved either.


We still have to give our administrators full access to configuration etc or they are not able to edit customer details in the backend.

Milbo

#5
October 09, 2015, 08:27:52 AM
Seems you miss something http://docs.virtuemart.net/manual/general-concepts/185-administrative-frontend-access-with-acl.html

It is working very good for us and we use the system intensivly in our own live store.

Quote
vmError: Hacking attempt uid check, you got logged
And changes wont be saved either.
Of course not, you are recognised as hacker, it would be strange if it would update the data, even you are recognised as hacker.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

lindapowers

#6
October 12, 2015, 09:19:01 AM
Quote from: Milbo on October 09, 2015, 08:27:52 AM
Seems you miss something http://docs.virtuemart.net/manual/general-concepts/185-administrative-frontend-access-with-acl.html

It is working very good for us and we use the system intensivly in our own live store.

Quote
vmError: Hacking attempt uid check, you got logged
And changes wont be saved either.
Of course not, you are recognised as hacker, it would be strange if it would update the data, even you are recognised as hacker.

Hi Max thanks read documentation carefully but nothing changes, please check this post https://forum.virtuemart.net/index.php?topic=124536.0

I think the bug is present still.

Configure ACL & Options to "Denied" for an administrator wont allow him to edit shopper details, even with the "edit users" allowed.

lindapowers

#7
October 19, 2015, 13:15:30 PM Last Edit: October 19, 2015, 13:24:20 PM by lindapowers
Ok Max a developer fixed this for us and now is working. Please check it since this happens even in latest VM.


The fix is done in administrator/components/com_virtuemart/tables/userinfos.php

I copied you what he said and upload the file renamed to txt with the fixes for VM 3.0.11

He said he added a simple check for $user->authorise('vm.user.edit','com_virtuemart' which was missing

Quoteremove this lines
   if(!vmAccess::manager('core')){
    $q = "SELECT virtuemart_user_id
          FROM #__virtuemart_userinfos
          WHERE virtuemart_userinfo_id = ".$this->virtuemart_userinfo_id;
    $this->_db->setQuery($q);
    $total = $this->_db->loadColumn();

    if (count($total) > 0) {

     $userId = JFactory::getUser()->id;
     if($total[0]!=$userId){
      vmError('Hacking attempt uid check, you got logged');
      echo 'Hacking attempt uid check, you got logged';
      return false;
     }
    }
   }

and replace with

   if(!vmAccess::manager('core')){
    $user = JFactory::getUser();
    if(!$user->authorise('vm.user.edit','com_virtuemart') ) {
     $q = "SELECT virtuemart_user_id
           FROM #__virtuemart_userinfos
           WHERE virtuemart_userinfo_id = ".$this->virtuemart_userinfo_id;
     $this->_db->setQuery($q);
     $total = $this->_db->loadColumn();

     if (count($total) > 0) {

      $userId = $user->id;
      if($total[0]!=$userId){
       vmError('Hacking attempt uid check, you got logged');
       echo 'Hacking attempt uid check, you got logged';
       return false;
      }
     }
    }
   }

Milbo

#8
October 19, 2015, 23:15:46 PM Last Edit: October 19, 2015, 23:24:58 PM by Milbo
Thank you,

should be then
Code Select

if(!vmAccess::manager('user.edit')){
.............
}


all $user->authorise is forbidden in vm code and vmAccess checks for admin automatically.

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/
Print
Go Up Pages1
User actions