ACL rules do not to apply auth->user model, allowing users to make themselves admins #39
Comments
|
Can you please provide more info who you setup your ACL? |
|
I just took the demo as it is with a User Role configured for class \atk4\login\Model\Role with "All Editable" set to no. I thought that this means, that a user belonging to "user role" is not allowed to edit the role "User role" (eg rename it). But in fact a user belonging to "user role" can rename the "user role" |
|
Could you see the issue in the demo? |
|
I will have to try to reproduce that and see if it works. It should, but ... :) |
|
Any news on this? I retried again: the user is able to change his user group, even though there is the standard rule, that role "User" does not have editable rights. |
|
Just an idea - maybe it's using cached (from session) user model and no permissions are set in it. |
|
Cache does not play a role - it also does not work in a private fresh browser window. So ACL as far as I can see is not working. You can easily check just with the atk4/login demo. |
* Refactoring to ATK 2.1 * Further refactoring to 2.1, however ACL rules are still not applied, so issue #39 persists. Co-authored-by: Michael Krecek <[email protected]>
|
Given that In #44 it is stated that this issue is not resolved, @DarkSide666 were you able to reproduce this and do you know if anyone is working on this? Thanks! |
|
Tagging this as major, as it is necessary for many multi-user environments. |
|
I will have to fix this sometime very soon if that's the actual issue. |
|
Thank you - FYI back 7 months ago (around that time) it still worked (1.7 ui/data) It then stopped working silently. Hope we can fix this first for 2.3 - however as 2.3 also has still some issues (which 2.2 hasn't) it would be great to have it for 2.2. At least we then have one working set of repos to work on |
|
I'm planning that this working set will be based on 2.3, but probably it can be backported for 2.2 too afterwards. |
|
@mkrecek234 I see that #66 contains some code related to ACL. If you happen to test it, let us know if things got better. Thanks. |
|
Hi there, I tested now the latest release for 3.0 and could find what the issue really is with ACL:
This creates a very strange situation: Each user can just go their preference menu and change the role from user to admin and gain full access rights. To check, please follow these steps in the included demo:
|
mkrecek234
changed the title
|
The issue is here: https://github.com/atk4/login/blob/3.0.0/demos/acl-clients.php#L20 ACL needs to be initialized currently manually, if added into Of course, this is bad as ACL should be opt-in not opt-out, eg:
|
|
@mvorisek Confirmed. If you add $this->initAcl(); before this line https://github.com/atk4/login/blob/3.0.0/demos/_includes/App.php#L44 |
|
Most recent 3.0 and dev-develop do work now. Please note that the model HAS to be called Atk4... - if you call it \Atk4... the ACL rules will not apply. That might be improved for better usability. |
|
this is crutical to work always on opt-out basis and the class names should be compared using reflection, IRRC if class is extended, it does not work currently too |
|
matching of extended classes fixed in #84 (now you can specify parent class or interface in |
Tried this demo and from my understanding the user "user" should not be allowed to change his own user role according to the ACL entry that Role model is not editable. In fact, he can edit his own rule.
The text was updated successfully, but these errors were encountered: