MODx Bug/Feature Tracker and Feature Requests
Welcome to the MODx CMS Tracker. Please choose the appropriate project from the drop down menu and provide as much information as possible regarding your server environment and browser. Thanks!
FS#947 — Module permissions do not handle multiple usergroups
Attached to Project —
MODx
Opened by johan (johan) - Thursday, 13 September 2007, 05:08AM
Last edited by Jason Coward (opengeek) - Sunday, 23 September 2007, 02:06PM
Opened by johan (johan) - Thursday, 13 September 2007, 05:08AM
Last edited by Jason Coward (opengeek) - Sunday, 23 September 2007, 02:06PM
| Task Type | Bug Report |
|---|---|
| Category | Core Distribution |
| Status | Closed |
| Assigned To |
Mike Reid (pixelchutes) |
| Operating System | All |
| Severity | High |
|---|---|
| Priority | Normal |
| Reported Version | 0.9.6 |
| Due in Version | 0.9.6.1 |
| Due Date | Undecided |
| Percent Complete |
|
Details
A module I build had two user groups which may access the module, but only one of them got access.Problem: within the query of this premission-check only one record is fetched and validated.
In my code I have fixed this; I guess it is a good fix to do in the main code of modx.
As you can see below there is a LIMIT 1 and only $row is validated. I removed the LIMIT 1 and added a while to check all occurances.
Probably an other option is just to remove the LEFT JOIN and make it a normal JOIN and validate if there are records returned.
the code below can be found in manager/processors/execute_module.processor.php
original code:
// check if user has access permission, except admins
if($_SESSION['mgrRole']!=1){
$sql = "SELECT sma.usergroup,mg.member " .
"FROM ".$modx->getFullTableName("site_module_access")." sma " .
"LEFT JOIN ".$modx->getFullTableName("member_groups")." mg ON mg.user_group = sma.usergroup AND member='".$modx->getLoginUserID()."'".
"WHERE sma.module = '$id' LIMIT 1";
$rs = $modx->dbQuery($sql);
$row = $modx->fetchRow($rs);
echo '<pre>';
echo $sql;
var_dump($row);
echo '</pre>';
if($row["usergroup"] && !$row["member"]) {
echo "<script type='text/javascript'>" .
"function jsalert(){ alert('You do not sufficient privileges to execute this module.');" .
"window.location.href='index.php?a=106';}".
"setTimeout('jsalert()',100)".
"</script>";
exit;
}
}
my fix:
// check if user has access permission, except admins
if($_SESSION['mgrRole']!=1){
$sql = "SELECT sma.usergroup,mg.member " .
"FROM ".$modx->getFullTableName("site_module_access")." sma " .
"LEFT JOIN ".$modx->getFullTableName("member_groups")." mg ON mg.user_group = sma.usergroup AND member='".$modx->getLoginUserID()."'".
"WHERE sma.module = '$id'";
$rs = $modx->dbQuery($sql);
$accessBoo = false;
while ($row = $modx->fetchRow($rs)) {
if($row["usergroup"] && $row["member"]) {
$accessBoo = true;
}
}
if(!$accessBoo) {
echo "<script type='text/javascript'>" .
"function jsalert(){ alert('You do not sufficient privileges to execute this module.');" .
"window.location.href='index.php?a=106';}".
"setTimeout('jsalert()',100)".
"</script>";
exit;
}
}
This task depends upon
This task blocks these from closing
Closed by Mike Reid (pixelchutes)
Wednesday, 23 January 2008, 04:00PM
Reason for closing: Fixed
Additional comments about closing: This issue was confirmed and fixed as of revision 3314
Wednesday, 23 January 2008, 04:00PM
Reason for closing: Fixed
Additional comments about closing: This issue was confirmed and fixed as of revision 3314
// check if user has access permission, except admins
if($_SESSION['mgrRole']!=1){
$sql = "SELECT sma.usergroup,mg.member " .
"FROM ".$modx->getFullTableName("site_module_access")." sma " .
"LEFT JOIN ".$modx->getFullTableName("member_groups")." mg ON mg.user_group = sma.usergroup AND member='".$modx->getLoginUserID()."'".
"WHERE sma.module = '$id'";
$rs = $modx->dbQuery($sql);
//initialize permission to -1, if it stays -1 no permissions
//attached so permission granted
$permissionAccessInt = -1;
while ($row = $modx->fetchRow($rs)) {
if($row["usergroup"] && $row["member"]) {
//if there are permissions and this member has permission, ofcourse
//this is granted
$permissionAccessInt = 1;
} elseif ($permissionAccessInt==-1) {
//if there are permissions but this member has no permission and the
//variable was still in init state we set permission to 0; no permissions
$permissionAccessInt = 0;
}
}
if($permissionAccessInt==0) {
echo "<script type='text/javascript'>" .
"function jsalert(){ alert('You do not sufficient privileges to execute this module.');" .
"window.location.href='index.php?a=106';}".
"setTimeout('jsalert()',100)".
"</script>";
exit;
}
}
- Field changed: Status (Unconfirmed → New)
- Field changed: Due in Version (Undecided → 0.9.6.1)
- Field changed: Due Date (Undecided → Undecided)
Thanks for the report and solutions johan. We will research and try to implement for 0.9.6.1 release.