TennShadow Posted February 19, 2011 Report Share Posted February 19, 2011 I've created a HR group and I have someone I trust enough to manage and delete pilots but I don't want him to manage any other parts of my site. I've given that group ACCESS_ADMIN and EDIT_PILOTS but I've noticed that they can not do everything I'd like them to. They can not "change Pilot Groups", "Reset Passwords", or "Delete Pilots". My question to you PHP gurus is do you know of any way to adjust the code for this group so I can add those rights to it? The delete feature is really what I want but if all three can be done that would be great! Thanks, Keith Quote Link to comment Share on other sites More sharing options...
Moderators mark1million Posted February 19, 2011 Moderators Report Share Posted February 19, 2011 Well firstly i had this and flagged it up as a security issue over a year ago and Nabeel put in a fix, basically if you give the staff member the ability to change groups then they can add themselves to the admin group and do what they like to your site. The code will need a modification to hide the admin option which should be above their level. Quote Link to comment Share on other sites More sharing options...
Moderators Kyle Posted February 19, 2011 Moderators Report Share Posted February 19, 2011 Hey Keith, Let's look at an exmaple admin tpl file.... You may notice this perm pasers. Just like that, just an example. <?php if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) { ?> <button href="<?php echo adminaction('/pilotadmin/viewpilots');?>" pilotid="<?php echo $pilotid;?>" action="removegroup" id="<?php echo $group->groupid;?>" class="pilotgroupajax button {button:{icons:{primary:'ui-icon-trash'}}}">Remove</button></td> <?php } ?> So if you want to make the HR to change an group or something..... Then change the FULL_ADMIN To EDIT_PILOTS Then it should be good. You can do to the another Perm Auths in the admin tpl files. I had to do that too. Worked Great. Quote Link to comment Share on other sites More sharing options...
TennShadow Posted February 20, 2011 Author Report Share Posted February 20, 2011 Hey Keith, Let's look at an exmaple admin tpl file.... You may notice this perm pasers. Just like that, just an example. <?php if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) { ?> <button href="<?php echo adminaction('/pilotadmin/viewpilots');?>" pilotid="<?php echo $pilotid;?>" action="removegroup" id="<?php echo $group->groupid;?>" class="pilotgroupajax button {button:{icons:{primary:'ui-icon-trash'}}}">Remove</button></td> <?php } ?> So if you want to make the HR to change an group or something..... Then change the FULL_ADMIN To EDIT_PILOTS Then it should be good. You can do to the another Perm Auths in the admin tpl files. I had to do that too. Worked Great. Sorry, I'm not trying to sound ignorant here but I'm not following what I need to do exactly. If I change that wouldn't that mess up my permissions for the FULL_ADMIN group? The group change think really isn't a big deal. I just want my HR group to be able to delete pilots. Quote Link to comment Share on other sites More sharing options...
TennShadow Posted February 20, 2011 Author Report Share Posted February 20, 2011 Well firstly i had this and flagged it up as a security issue over a year ago and Nabeel put in a fix, basically if you give the staff member the ability to change groups then they can add themselves to the admin group and do what they like to your site. The code will need a modification to hide the admin option which should be above their level. Thanks for the heads up on this. I don't really think giving them that right will be needed. Thanks again! Quote Link to comment Share on other sites More sharing options...
Guest lorathon Posted February 20, 2011 Report Share Posted February 20, 2011 Keith, Do you want this user to be able to delete a pilot who has already been accepted? If so then you can modify the pilots_options.tpl. At the top of the template is the if statement that controls who can see this area. if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) Just change the FULL_ADMIN to the asses level you wish to be able to view (EDIT_PILOTS) or you can add an or to the if statement if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN) || PilotGroups::group_has_perm(Auth::$usergroups, EDIT_PILOTS)) Quote Link to comment Share on other sites More sharing options...
TennShadow Posted February 20, 2011 Author Report Share Posted February 20, 2011 Keith, Do you want this user to be able to delete a pilot who has already been accepted? If so then you can modify the pilots_options.tpl. At the top of the template is the if statement that controls who can see this area. if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN)) Just change the FULL_ADMIN to the asses level you wish to be able to view (EDIT_PILOTS) or you can add an or to the if statement if(PilotGroups::group_has_perm(Auth::$usergroups, FULL_ADMIN) || PilotGroups::group_has_perm(Auth::$usergroups, EDIT_PILOTS)) Jeff, That did it! Thank you so much for your help! Quote Link to comment Share on other sites More sharing options...
Guest lorathon Posted February 20, 2011 Report Share Posted February 20, 2011 Glad I could help. Quote Link to comment Share on other sites More sharing options...
Administrators Nabeel Posted February 20, 2011 Administrators Report Share Posted February 20, 2011 Just be careful, they could delete you if they wanted to be an ass. That's why I didn't include that permission in there, perhaps I can change that so admin can only be deleted by other admin? Quote Link to comment Share on other sites More sharing options...
TennShadow Posted February 21, 2011 Author Report Share Posted February 21, 2011 Just be careful, they could delete you if they wanted to be an ass. That's why I didn't include that permission in there, perhaps I can change that so admin can only be deleted by other admin? Thanks Nabeel. I figured that was the reason you did that. I realize the risk I'm taking with doing this. My VA has been open for a year now and up until now I was the only one doing HR. The good thing is just in case he does become an ass I have my database automatically backed up nightly so I won't lose much if anything at all. That would be a good idea to only allow Admin to delete Admin btw. Thanks guys for all your help!! Quote Link to comment Share on other sites More sharing options...
Administrators Nabeel Posted February 21, 2011 Administrators Report Share Posted February 21, 2011 I've added a bug for that, I'll take a look at it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.