Jump to content

Recommended Posts

Posted

I've created a HR group and I have someone I trust enough to manage and delete pilots but I don't want him to manage any other parts of my site.

I've given that group ACCESS_ADMIN and EDIT_PILOTS but I've noticed that they can not do everything I'd like them to.

They can not "change Pilot Groups", "Reset Passwords", or "Delete Pilots".

My question to you PHP gurus is do you know of any way to adjust the code for this group so I can add those rights to it? The delete feature is really what I want but if all three can be done that would be great!

Thanks,

Keith

  • Moderators
Posted

Well firstly i had this and flagged it up as a security issue over a year ago and Nabeel put in a fix, basically if you give the staff member the ability to change groups then they can add themselves to the admin group and do what they like to your site.

The code will need a modification to hide the admin option which should be above their level.

  • Moderators
Posted

Hey Keith,

Let's look at an exmaple admin tpl file....

You may notice this perm pasers. Just like that, just an example.

<?php
	if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) 
	{ ?>
		<button href="<?php echo adminaction('/pilotadmin/viewpilots');?>" pilotid="<?php echo $pilotid;?>" 
			action="removegroup" id="<?php echo $group->groupid;?>" 
			class="pilotgroupajax button {button:{icons:{primary:'ui-icon-trash'}}}">Remove</button></td>
	<?php
	} ?>

So if you want to make the HR to change an group or something.....

Then change the FULL_ADMIN To EDIT_PILOTS

Then it should be good. You can do to the another Perm Auths in the admin tpl files.

I had to do that too. Worked Great.

Posted

Hey Keith,

Let's look at an exmaple admin tpl file....

You may notice this perm pasers. Just like that, just an example.

<?php
	if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) 
	{ ?>
		<button href="<?php echo adminaction('/pilotadmin/viewpilots');?>" pilotid="<?php echo $pilotid;?>" 
			action="removegroup" id="<?php echo $group->groupid;?>" 
			class="pilotgroupajax button {button:{icons:{primary:'ui-icon-trash'}}}">Remove</button></td>
	<?php
	} ?>

So if you want to make the HR to change an group or something.....

Then change the FULL_ADMIN To EDIT_PILOTS

Then it should be good. You can do to the another Perm Auths in the admin tpl files.

I had to do that too. Worked Great.

Sorry, I'm not trying to sound ignorant here but I'm not following what I need to do exactly.

If I change that wouldn't that mess up my permissions for the FULL_ADMIN group? The group change think really isn't a big deal. I just want my HR group to be able to delete pilots.

Posted

Well firstly i had this and flagged it up as a security issue over a year ago and Nabeel put in a fix, basically if you give the staff member the ability to change groups then they can add themselves to the admin group and do what they like to your site.

The code will need a modification to hide the admin option which should be above their level.

Thanks for the heads up on this. I don't really think giving them that right will be needed.

Thanks again!

Guest lorathon
Posted

Keith,

Do you want this user to be able to delete a pilot who has already been accepted? If so then you can modify the pilots_options.tpl. At the top of the template is the if statement that controls who can see this area.

if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) 

Just change the FULL_ADMIN to the asses level you wish to be able to view (EDIT_PILOTS) or you can add an or to the if statement

if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN) || PilotGroups::group_has_perm(Auth::$usergroups, EDIT_PILOTS)) 

Posted

Keith,

Do you want this user to be able to delete a pilot who has already been accepted? If so then you can modify the pilots_options.tpl. At the top of the template is the if statement that controls who can see this area.

if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) 

Just change the FULL_ADMIN to the asses level you wish to be able to view (EDIT_PILOTS) or you can add an or to the if statement

if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN) || PilotGroups::group_has_perm(Auth::$usergroups, EDIT_PILOTS)) 

Jeff,

That did it!

Thank you so much for your help!

  • Administrators
Posted

Just be careful, they could delete you if they wanted to be an ass. That's why I didn't include that permission in there, perhaps I can change that so admin can only be deleted by other admin?

Posted

Just be careful, they could delete you if they wanted to be an ass. That's why I didn't include that permission in there, perhaps I can change that so admin can only be deleted by other admin?

Thanks Nabeel.

I figured that was the reason you did that. I realize the risk I'm taking with doing this. My VA has been open for a year now and up until now I was the only one doing HR. The good thing is just in case he does become an ass I have my database automatically backed up nightly so I won't lose much if anything at all.

That would be a good idea to only allow Admin to delete Admin btw.

Thanks guys for all your help!!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...