215 Posts
10 years ago
1
Topic
While I was trying to solve the forum post regarding allowing admins to edit a user's profile
I discovered that a logged-in registered user could enter a URL, such as below and start editing another user's details.
So I am adding preceding my templates with this code:
It would seem there should be an ACL attribute check box, like Edit Own User Details vs Edit All Users. Not sure what the real issue is here.
Using J3 and Seblod3.2 (also true on J2.5)
I discovered that a logged-in registered user could enter a URL, such as below and start editing another user's details.
http://[your-domain-here]/index.php?option=com_cck&view=form&layout=edit&type=user&id=[id_of_any_user]Type could also be equal to another User-type form, e.g. applicants or whatever you might call it.
So I am adding preceding my templates with this code:
<?php
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
$mainframe->route();
$user =& JFactory::getUser();
$usrid = $user->get('id');
$grparray = $user->get('groups');
$sum = count($grparray);
for ($i=0; $i<$sum; $i++) {
$grpid = $grparray[$i];
}
$getGroups = JAccess::getGroupsByUser($usrid);
$sum2 = count($getGroups);
for ($i=0; $i<$sum2; $i++) {
$newgrpid = $getGroups[$i];
}
// Append associative array elements
function array_push_associative(&$arr) {
$args = func_get_args();
foreach ($args as $arg) {
if (is_array($arg)) {
foreach ($arg as $key => $value) {
$arr[$key] = $value;
$ret++;
}
}else{
$arr[$arg] = "";
}
}
return $ret;
}
$urlCCK = array();
foreach($_GET as $key => $value) {
array_push_associative($urlCCK, $items = array("$key" => "$value"));
}
// IF current user is in the Registered Group and their id is NOT equal to the URL's, then there's a problem.
if (
($newgrpid == 2) && // Registered or above
($urlCCK['option'] == 'com_cck') &&
($urlCCK['view'] == 'form') &&
($urlCCK['layout'] == 'edit') &&
($urlCCK['type'] == 'user') && // e.g. user or applicants, etc.
($urlCCK['id'] != $usrid)
) {
header('Location: [Add your URL to an Access Denied type page]');
exit;
}
Perhaps there is a better solution?It would seem there should be an ACL attribute check box, like Edit Own User Details vs Edit All Users. Not sure what the real issue is here.
Using J3 and Seblod3.2 (also true on J2.5)
215 Posts
10 years ago
0
Level 1
The solution to fixing this is to set permissions for the User
Form/Content Type > Registered > Edit = Denied ... EVEN though
the calculated setting was "Not Allowed" ... it was NOT sticking. Check
your implementations.
