215 Posts
cubist
10 years ago
1
Topic
While I was trying to solve the forum post regarding allowing admins to edit a user's profile
I discovered that a logged-in registered user could enter a URL, such as below and start editing another user's details.
http://[your-domain-here]/index.php?option=com_cck&view=form&layout=edit&type=user&id=[id_of_any_user]
Type could also be equal to another User-type form, e.g. applicants or whatever you might call it.

So I am adding preceding my templates with this code:
<?php
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
$mainframe->route();

$user =& JFactory::getUser();
$usrid = $user->get('id');
$grparray = $user->get('groups');

$sum = count($grparray);

for ($i=0; $i<$sum; $i++) {
 $grpid = $grparray[$i];
}
$getGroups = JAccess::getGroupsByUser($usrid);
$sum2 = count($getGroups);

for ($i=0; $i<$sum2; $i++) {
 $newgrpid = $getGroups[$i];
}

// Append associative array elements
function array_push_associative(&$arr) {
   $args = func_get_args();
   foreach ($args as $arg) {
       if (is_array($arg)) {
           foreach ($arg as $key => $value) {
               $arr[$key] = $value;
               $ret++;
           }
       }else{
           $arr[$arg] = "";
       }
   }
   return $ret;
}

$urlCCK = array();
foreach($_GET as $key => $value) {
    array_push_associative($urlCCK, $items = array("$key" => "$value"));
}

// IF current user is in the Registered Group and their id is NOT equal to the URL's, then there's a problem.
if (
	($newgrpid         == 2)            &&  // Registered or above
	($urlCCK['option'] == 'com_cck')    &&
	($urlCCK['view']   == 'form')       &&
	($urlCCK['layout'] == 'edit')       &&
	($urlCCK['type']   == 'user')       &&  // e.g. user or applicants, etc.
	($urlCCK['id']     != $usrid)
) {
header('Location: [Add your URL to an Access Denied type page]');
exit;
}
Perhaps there is a better solution?

It would seem there should be an ACL attribute check box, like Edit Own User Details vs Edit All Users. Not sure what the real issue is here.

Using J3 and Seblod3.2 (also true on J2.5)



Get a VIP membership
215 Posts
cubist
10 years ago
0
Level 1
The solution to fixing this is to set permissions for the User Form/Content Type > Registered > Edit = Denied ... EVEN though the calculated setting was "Not Allowed" ... it was NOT sticking. Check your implementations.
Get a Book for SEBLOD