jamyboy Posted November 7, 2014 Report Share Posted November 7, 2014 Dear Fellas i just found a problem with Admin center access which is as follows. in admin center i went and created new group with the name 'Finance' and gave below permissions to the pilot. View finance Admin Access after 1 week the same pilot sent me an email and informed me that his VA hours reset to zero instead of 2000+ when i investigated in admin center i went to Admin Activity log and found the same pilot somehow got access of pilots profile and he himself changed his own profile data and because of that his VA hours showing zero now still dont know why? i got confused as how this pilot got access so i changed his password and i myself logged in from his account after spending time i found the below: he can access all the options in Admin Center by just typing the URL in the browser for example to view all pilots if he type this http://www.website.com/VA/admin/index.php/pilotadmin/viewpilots he will be able to access that certain page even if he dont have full admin access anyone here can solve this puzzle as how pilots can get access by just typing URL in the browser even he dont have permissions for others options in admin center. Regards James Quote Link to comment Share on other sites More sharing options...
Administrators simpilot Posted November 7, 2014 Administrators Report Share Posted November 7, 2014 There are a number of admin modules that are only protected by the link not being in the menu for the user if he does not have permissions for that function. If you look at the MassMailer module you will find that each function has a permissions check; $this->checkPermission(EMAIL_PILOTS); but if you look at the PilotAdmin module it does not. It is one of the many things that need to be extended in the system. You could go through and add the proper permissions to every function in the admin system to fix it, just remember if there is ever an update the changes would probably be overwritten unless you submit them in a pull request to the Github project. On the other hand I would have to ask myself if I need people in my VA that I need to worry about doing things like this? Quote Link to comment Share on other sites More sharing options...
mseiwald Posted November 7, 2014 Report Share Posted November 7, 2014 I solved this in my VA by adding a htpasswd file in the admin folder. 1 Quote Link to comment Share on other sites More sharing options...
jamyboy Posted November 7, 2014 Author Report Share Posted November 7, 2014 thank you for your reply guys just hoping of someone from you can help me in giving proper solution as how to add code where to add code sorry but i am noob in coding. Quote Link to comment Share on other sites More sharing options...
alblua Posted November 13, 2014 Report Share Posted November 13, 2014 in admin center i went and created new group with the name 'Finance' and gave below permissions to the pilot. View finance Admin Access Maybe that's your issue? If he's logged in, and if he has access, and it seems that he has the permission to, then he can view it by direct admin URL. Have you tried logging out and seeing if it still goes in or logging in to another account that has no access? No worries about your lack of knowledge; it's just learning. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.