Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Permission Issue With Admin User Group Rate Topic   - - - - -

 
  • arteeni
  • Advanced Member
  • Members
  • Join Date: 07-Aug 15
  • 85 posts

Posted 27 March 2016 - 11:59 PM #1

Hello all,

I am trying to create an admin account that has some restrictions on what it can manage, compared with the default admin accounts that have access to everything. To do this, I created a new user group and gave that group privileges for the things I wanted them to access and everything else I disabled. Overall, this worked as intended, with the exception of one issue that I can't fix.

Users assigned to that group are not able to view or manage the Vendor’s administrator accounts (admin.php?dispatch=profiles.manage&user_type=V) - it just says "No data found". Also, if I click the "+" button, I get a "403, Access Denied" error. Even if I have all privileges for the group enabled, it still does this.

So, is this functionality intended or is it a bug? If it is intended, is there some modification I can make to change that? FYI, I'm running MVE 4.3.4 and have also confirmed this is present on the current demo which is running 4.3.6.

Thanks in advance,
Jason


Arteeni - a marketplace for artisan, handmade goods, with a charitable twist.


 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3808 posts

Posted 28 March 2016 - 05:43 AM #2

Hello all,

I am trying to create an admin account that has some restrictions on what it can manage, compared with the default admin accounts that have access to everything. To do this, I created a new user group and gave that group privileges for the things I wanted them to access and everything else I disabled. Overall, this worked as intended, with the exception of one issue that I can't fix.

Users assigned to that group are not able to view or manage the Vendor’s administrator accounts (admin.php?dispatch=profiles.manage&user_type=V) - it just says "No data found". Also, if I click the "+" button, I get a "403, Access Denied" error. Even if I have all privileges for the group enabled, it still does this.

So, is this functionality intended or is it a bug? If it is intended, is there some modification I can make to change that? FYI, I'm running MVE 4.3.4 and have also confirmed this is present on the current demo which is running 4.3.6.

Thanks in advance,
Jason

 

Only the root administrator can edit the vendor’s administrator accounts.  By default it is user with user_id=1


Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • arteeni
  • Advanced Member
  • Members
  • Join Date: 07-Aug 15
  • 85 posts

Posted 29 March 2016 - 12:47 AM #3

Only the root administrator can edit the vendor’s administrator accounts.  By default it is user with user_id=1

 

I'm seeing something different. If I disable that new group for the account, I can then view and edit the vendor's administrator accounts, no problem, even if it isn't the root administrator account (user_id=1). But, as soon as I activate the new group for that admin account, I can no longer access it.


Arteeni - a marketplace for artisan, handmade goods, with a charitable twist.


 
  • marsx3
  • Advanced Member
  • Trial users
  • Join Date: 20-Jul 14
  • 122 posts

Posted 19 April 2016 - 08:32 AM #4

Same problem after upgrade to 4.3.6. If I assign Administrator group to my root account, I can not see other administrator accounts, but if I leave only root, i can see all accounts.



 
  • arteeni
  • Advanced Member
  • Members
  • Join Date: 07-Aug 15
  • 85 posts

Posted 19 April 2016 - 03:32 PM #5

Yea, same here. I submitted a ticket to the CS Cart team and they responded saying that it isn't a bug, rather that it is intended to work that way. I still don't see how that is. Because, it seems to me that if I have an admin account that is part of a group where no privileges are disabled that it should have access to view and manage any type of user, except maybe the root admin.


Arteeni - a marketplace for artisan, handmade goods, with a charitable twist.


 
  • marsx3
  • Advanced Member
  • Trial users
  • Join Date: 20-Jul 14
  • 122 posts

Posted 20 April 2016 - 09:13 AM #6

It is a bug another way it is stupid idea.



 
  • marsx3
  • Advanced Member
  • Trial users
  • Join Date: 20-Jul 14
  • 122 posts

Posted 20 April 2016 - 09:16 AM #7

Please ask cs-cart support in your ticket question, why root user have now acces to import export function?! If i give to root user admin group i can acces but lost user access. It is a bug!



 
  • arteeni
  • Advanced Member
  • Members
  • Join Date: 07-Aug 15
  • 85 posts

Posted 20 April 2016 - 02:44 PM #8

Please ask cs-cart support in your ticket question, why root user have now acces to import export function?! If i give to root user admin group i can acces but lost user access. It is a bug!

I'm not sure what you're saying, sorry


Arteeni - a marketplace for artisan, handmade goods, with a charitable twist.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 20 April 2016 - 09:41 PM #9

There are 3 levels of administration:

1) Admin with  is_root=Y in the DB (not accessible via UI)

2) Admin in usergroup (some restrictions apply even if there are no restrictions set)

3) Admin without is_root=Y and not in any usergroup

 

#1 can do anything

#2 operates with some restrictions but can't edit other administrator accounts or modify usergroups

#3 Generally all functions accessible but can't edit other admin accounts or modify user groups

 

In MVE if an account is actually a Vendor Administrator, then it only has rights to modify things related to a specific vendor (company)


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • marsx3
  • Advanced Member
  • Trial users
  • Join Date: 20-Jul 14
  • 122 posts

Posted 21 April 2016 - 07:38 AM #10

There are 3 levels of administration:

1) Admin with  is_root=Y in the DB (not accessible via UI)

 

#1 can do anything

Thank you for your answer. But after update to 4.3.6 root user can not access Import/Export menus in admin panel. Error 403. If I give to root user Admin group, after it I can acccess Import/Export, but can not see other admin accounts. Before, as you wrote, root can do anything.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 21 April 2016 - 07:22 PM #11

Verify that there are no usergroups defined for the user_id of your is_root user in cscart_usergroup_links.

I do not experience this issue in 4.3.6.  My guess is that you have that user in some usergroup.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • marsx3
  • Advanced Member
  • Trial users
  • Join Date: 20-Jul 14
  • 122 posts

Posted 21 April 2016 - 08:24 PM #12

Verify that there are no usergroups defined for the user_id of your is_root user in cscart_usergroup_links.

I do not experience this issue in 4.3.6.  My guess is that you have that user in some usergroup.

 

 

Thank you! It resolve problem.



 
  • arteeni
  • Advanced Member
  • Members
  • Join Date: 07-Aug 15
  • 85 posts

Posted 22 April 2016 - 02:15 AM #13

There are 3 levels of administration:

1) Admin with  is_root=Y in the DB (not accessible via UI)

2) Admin in usergroup (some restrictions apply even if there are no restrictions set)

3) Admin without is_root=Y and not in any usergroup

 

#1 can do anything

#2 operates with some restrictions but can't edit other administrator accounts or modify usergroups

#3 Generally all functions accessible but can't edit other admin accounts or modify user groups

 

In MVE if an account is actually a Vendor Administrator, then it only has rights to modify things related to a specific vendor (company)

 

That makes sense in general, but I just don't understand why it places restrictions on an admin (even a root admin) when added to a group where everything in that group is enabled.


Arteeni - a marketplace for artisan, handmade goods, with a charitable twist.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 22 April 2016 - 08:27 PM #14

Because the logic in the code does some things related to 'permissions' and some based on 'is_root'.

I.e. it doesn't make much sense to have the ability to manage usergroups for admins in a permission that is controlled by a usergroup.

 

It correlates with most other 'systems' where this is a 'root' user that has more power than other administrative users.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3270 posts

Posted 31 May 2016 - 01:18 PM #15

I have problem accessing

admin.php?dispatch=exim.export

 

Says I have no permission to access this page.

 

I got only root admin and it is not assigned to any other group?

 

Strange that if I create new admin I can access this page..

 

Same problem after upgrade to 4.3.6. If I assign Administrator group to my root account, I can not see other administrator accounts, but if I leave only root, i can see all accounts.



 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3270 posts

Posted 31 May 2016 - 01:22 PM #16

How do you do that?

 

Same problem after upgrade to 4.3.6. If I assign Administrator group to my root account, I can not see other administrator accounts, but if I leave only root, i can see all accounts.



 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3270 posts

Posted 31 May 2016 - 05:29 PM #17

Fixed with this msg. Thank you

 

Verify that there are no usergroups defined for the user_id of your is_root user in cscart_usergroup_links.

I do not experience this issue in 4.3.6.  My guess is that you have that user in some usergroup.



 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3270 posts

Posted 10 June 2016 - 07:17 AM #18

-