Post by markh » Fri Apr 21, 2017 12:16 am

Hi - I am implementing a mod where I have quite a lot of admin users maintaining the product catalog and unless they are in a particular role they can only see and edit their own record. This works fine except it is possible for a user to manually change the user id in the browser URL and see another person's record. I can easily block the update but I want to block them even being able to load the page in this instance. What do I need to change and where? I guess I need to tap into admin/controller/user/user.php edit() function and stop the getForm() call but what is the most elegant way to do that and display a relevant message to the user?

Mark

Newbie

Posts

Joined
Tue Dec 16, 2014 5:19 pm

Post by artcore » Fri Apr 21, 2017 12:47 am

The admin rights are based on the route. Did you implement permissions on document level?
I think the easiest way is to compare the user_id in the url to the logged in userId()

User avatar
Active Member

Posts

Joined
Tue Jul 09, 2013 4:13 am
Location - The Netherlands

Post by markh » Fri Apr 21, 2017 8:37 pm

Sorry maybe I wasn't clear - I have allowed users to access and update user records (this is in the Admin area, not customer facing) and restricted them to only be able to list their own records (based on logged in user id) and also blocked from updating a record not of their id. However when they bring up the edit page for their record, if they were to be sneaky enough to change the id in the url to that of another user and hit enter, the system will show them the other user's details (but I've blocked the update). Now I want to block them even seeing that data by trapping them in the edit part of the user controller before the page gets displayed and I cannot see or work out how I either redirect them to whatever page they were legitimately on before or display a basic page with an error on?

TIA, Mark

Newbie

Posts

Joined
Tue Dec 16, 2014 5:19 pm

Post by artcore » Fri Apr 21, 2017 10:14 pm

I'm not sure if you added some table to map users to certain documents(customer, orders, etc) but the logic still applies. If a record doesn't have their user_id (matched by url param) redirect to something. OC3 has multi-user btw, might save you some extra logic.

User avatar
Active Member

Posts

Joined
Tue Jul 09, 2013 4:13 am
Location - The Netherlands

Post by markh » Fri Apr 21, 2017 10:24 pm

So presumably I have to pick up the baton only after the route has been parsed and initiated and then before the page display redirect back to where I was - can anyone tell me though, how can I tell what the page was before so I can bounce back to it?

Can anyone point me at a representative example (even in an extension) I might refer to?

Ta, Mark

Newbie

Posts

Joined
Tue Dec 16, 2014 5:19 pm
Who is online

Users browsing this forum: lombert, szymaz89 and 59 guests