| Author |
Message |
Wiseman
MD user level 5
Joined: Mar 15, 2005
Posts: 101
Location: Spain
Member
|
 Posted:
Jan 27, 2007 - 12:01 AM |
 
|
| Post subject: Small issue regarding group admin permissions (MDPro 1.0.76) |
I've noticed an inconsistency with the group administration permissions in MDPro 1.076. (This problem does not affect MDLite RC2.)
When viewing a group with sufficient permission (Edit on Groups::@$name::$gid), the per-user delete link to the right of the user name (used to remove users from a group) is hidden if the user doesn't have Delete permission on Groups::@$name::$gid. However, the delete function itself only checks for Edit permission, so that even if you don't see the Delete link to remove a user from a group, you can do so with only Edit permission on the group by going to the following URL (line broken to ensure full display):
http://.../admin.php?module=NS-Groups&op=
secdeleteuserfromgroup&uid=UID&gid=GID
where UID and GID are the user and group IDs.
To change this so that you require delete permission on a group to remove users from a group, edit the file modules/NS-Groups/admin.php . Line 642 reads:
| Code:
|
|
if (!pnSecAuthAction(0, 'Groups::', "$gname::$gid", ACCESS_EDIT)) {
|
Change it to:
| Code:
|
|
if (!pnSecAuthAction(0, 'Groups::', "$gname::$gid", ACCESS_DELETE)) {
|
However, you may want to do the opposite: allow users to remove users from a group with Edit access. To do so, instead of the previous patch, do the following on line 221: change
| Code:
|
|
if (pnSecAuthAction(0, 'Groups::', "$gname::$gid", ACCESS_DELETE)) {
|
into
| Code:
|
|
if (pnSecAuthAction(0, 'Groups::', "$gname::$gid", ACCESS_EDIT)) {
|
|
|
|
|
|
|
|
| |
Forum FAQ
Search
Usergroups
Preferences
Options forum
Watched Topics
Latest forum posts
Log in to check your private messages
Log in
