headhunter
Posts: 130
|
| Posted: 12/10/2004, 4:40 AM |
|
Yesterday when I was checking my page security, I discovered something.
I use the integrated authentication with PHPBB, which seems it is not the problem.
When I have a page that should be only accessible for users of the admin group, it now seems to be accessible by all loged in users, even if they are only users…
I looked in the security checks from ccs in common.php and found this code:
Code:
//CCSecurityAccessCheck @0-32213439
function CCSecurityAccessCheck($GroupsAccess)
{
$ErrorType = "success";
if(!strlen(CCGetUserID()))
{
$ErrorType = "notLogged";
}
return $ErrorType;
}
//End CCSecurityAccessCheck
Looks like that there is only checked if a user is logged in, but does not perform group security checks.
Code generated with an older version of ccs look likes this:
Code:
//CCSecurityAccessCheck @0-7B496647
function CCSecurityAccessCheck($GroupsAccess)
{
$ErrorType = "success";
if(!strlen(CCGetUserID()))
{
$ErrorType = "notLogged";
}
else
{
$GroupID = CCGetGroupID();
if(!strlen($GroupID))
{
$ErrorType = "groupIDNotSet";
}
else
{
if(!CCUserInGroups($GroupID, $GroupsAccess))
$ErrorType = "illegalGroup";
}
}
return $ErrorType;
}
//End CCSecurityAccessCheck
I didn’t have the time yet to check this out
Anyone having the same findings?
Version of CCS: 2.3.2.24
Thanks!
|
 |
 |
headhunter
Posts: 130
|
| Posted: 12/10/2004, 7:27 AM |
|
Oeps, seems like I submitted 3 times...
In the mean time I was able to test it and it solved my problem.
Now I wait for others to look in there code and reply to this post.
Maybe it's something with my installation of CCS2?
|
|
|
|
peterr
Posts: 5971
|
| Posted: 12/10/2004, 9:26 AM |
|
I'd recommend that you backup, then delete Common.php, so that CCS can re-generate it correctly when publishing next time. Also please make sure that all fields have values in Project Settings -> Security.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
headhunter
Posts: 130
|
| Posted: 12/10/2004, 10:37 AM |
|
Found the problem thanks to peterr.
When using the unified login with phpbb, I do not need all the fields in the security tab because the Login.php does all the work.
But when not filling these fields, the group security check isn't there in Common.php
I manually added the code and it works fine now.
Problem solved.
|
|
|
|
|
