Permission Issue With Admin User Group

Hello all,

I am trying to create an admin account that has some restrictions on what it can manage, compared with the default admin accounts that have access to everything. To do this, I created a new user group and gave that group privileges for the things I wanted them to access and everything else I disabled. Overall, this worked as intended, with the exception of one issue that I can't fix.

Users assigned to that group are not able to view or manage the Vendor’s administrator accounts (admin.php?dispatch=profiles.manage&user_type=V) - it just says "No data found". Also, if I click the "+" button, I get a "403, Access Denied" error. Even if I have all privileges for the group enabled, it still does this.

So, is this functionality intended or is it a bug? If it is intended, is there some modification I can make to change that? FYI, I'm running MVE 4.3.4 and have also confirmed this is present on the current demo which is running 4.3.6.

Thanks in advance,
Jason

Hello all,

I am trying to create an admin account that has some restrictions on what it can manage, compared with the default admin accounts that have access to everything. To do this, I created a new user group and gave that group privileges for the things I wanted them to access and everything else I disabled. Overall, this worked as intended, with the exception of one issue that I can't fix.

Users assigned to that group are not able to view or manage the Vendor’s administrator accounts (admin.php?dispatch=profiles.manage&user_type=V) - it just says "No data found". Also, if I click the "+" button, I get a "403, Access Denied" error. Even if I have all privileges for the group enabled, it still does this.

So, is this functionality intended or is it a bug? If it is intended, is there some modification I can make to change that? FYI, I'm running MVE 4.3.4 and have also confirmed this is present on the current demo which is running 4.3.6.

Thanks in advance,
Jason

Only the root administrator can edit the vendor’s administrator accounts. By default it is user with user_id=1

Only the root administrator can edit the vendor’s administrator accounts. By default it is user with user_id=1

I'm seeing something different. If I disable that new group for the account, I can then view and edit the vendor's administrator accounts, no problem, even if it isn't the root administrator account (user_id=1). But, as soon as I activate the new group for that admin account, I can no longer access it.

Same problem after upgrade to 4.3.6. If I assign Administrator group to my root account, I can not see other administrator accounts, but if I leave only root, i can see all accounts.

Yea, same here. I submitted a ticket to the CS Cart team and they responded saying that it isn't a bug, rather that it is intended to work that way. I still don't see how that is. Because, it seems to me that if I have an admin account that is part of a group where no privileges are disabled that it should have access to view and manage any type of user, except maybe the root admin.

It is a bug another way it is stupid idea.

Please ask cs-cart support in your ticket question, why root user have now acces to import export function?! If i give to root user admin group i can acces but lost user access. It is a bug!

Please ask cs-cart support in your ticket question, why root user have now acces to import export function?! If i give to root user admin group i can acces but lost user access. It is a bug!

I'm not sure what you're saying, sorry

There are 3 levels of administration:

1) Admin with is_root=Y in the DB (not accessible via UI)

2) Admin in usergroup (some restrictions apply even if there are no restrictions set)

3) Admin without is_root=Y and not in any usergroup

#1 can do anything

#2 operates with some restrictions but can't edit other administrator accounts or modify usergroups

#3 Generally all functions accessible but can't edit other admin accounts or modify user groups

In MVE if an account is actually a Vendor Administrator, then it only has rights to modify things related to a specific vendor (company)

There are 3 levels of administration:

1) Admin with is_root=Y in the DB (not accessible via UI)

#1 can do anything

Thank you for your answer. But after update to 4.3.6 root user can not access Import/Export menus in admin panel. Error 403. If I give to root user Admin group, after it I can acccess Import/Export, but can not see other admin accounts. Before, as you wrote, root can do anything.

Verify that there are no usergroups defined for the user_id of your is_root user in cscart_usergroup_links.

I do not experience this issue in 4.3.6. My guess is that you have that user in some usergroup.

Verify that there are no usergroups defined for the user_id of your is_root user in cscart_usergroup_links.

I do not experience this issue in 4.3.6. My guess is that you have that user in some usergroup.

Thank you! It resolve problem.

There are 3 levels of administration:

1) Admin with is_root=Y in the DB (not accessible via UI)

2) Admin in usergroup (some restrictions apply even if there are no restrictions set)

3) Admin without is_root=Y and not in any usergroup

#1 can do anything

#2 operates with some restrictions but can't edit other administrator accounts or modify usergroups

#3 Generally all functions accessible but can't edit other admin accounts or modify user groups

In MVE if an account is actually a Vendor Administrator, then it only has rights to modify things related to a specific vendor (company)

That makes sense in general, but I just don't understand why it places restrictions on an admin (even a root admin) when added to a group where everything in that group is enabled.

Because the logic in the code does some things related to 'permissions' and some based on 'is_root'.

I.e. it doesn't make much sense to have the ability to manage usergroups for admins in a permission that is controlled by a usergroup.

It correlates with most other 'systems' where this is a 'root' user that has more power than other administrative users.

I have problem accessing

admin.php?dispatch=exim.export

Says I have no permission to access this page.

I got only root admin and it is not assigned to any other group?

Strange that if I create new admin I can access this page..

Same problem after upgrade to 4.3.6. If I assign Administrator group to my root account, I can not see other administrator accounts, but if I leave only root, i can see all accounts.

How do you do that?

Same problem after upgrade to 4.3.6. If I assign Administrator group to my root account, I can not see other administrator accounts, but if I leave only root, i can see all accounts.

Fixed with this msg. Thank you

Verify that there are no usergroups defined for the user_id of your is_root user in cscart_usergroup_links.

I do not experience this issue in 4.3.6. My guess is that you have that user in some usergroup.

-