Announcement

Collapse
No announcement yet.

Fixing Issue with the Group Security Bug

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fixing Issue with the Group Security Bug

    All,
    As we all know there is an issue with the SC security security, where it will only give permission on only one group.
    You cannot add a user to multiple groups.
    I have been working this issue all day, and I thought I had it fixed..
    But for some reason, it is not working..
    Can someone take a look at the login app and see what I may be missing?
    I know the sql is generating the right dataset..

    here is the sql I am using to get the results...

    Code:
    $sql = "SELECT 
    	    app_name, 
    		ifnull(max(priv_access), 'N') as priv_access,
    		ifnull(max(priv_insert),'N') as priv_insert, 
    		ifnull(max(priv_delete),'N') as priv_delete,
            ifnull(max(priv_update),'N') as priv_update, 
    		ifnull(max(priv_export),'N') as priv_export, 
    		ifnull(max(priv_print),'N') as priv_print
    	      FROM news_sec_groups_apps
    	      WHERE group_id IN
    	          (SELECT
    		       group_id
    		   FROM
    		       news_sec_users_groups 
    		   WHERE
    		       login = '". [usr_login] ."') group by app_name";
    If I echo the sc_apl_conf the results say that the available ones are on, and the denied access are off..

    I see there is a function being called but cant see why it would make this not work;
    here is the code in the php section of the login program
    Code:
    return ($param == 'Y' ? 'on' : 'off');
    to be honest I dont know what this is doing..

    Come on Guys lets gets this issue fixed once and for all


    kev

  • #2
    Kev...

    I believe the problem is that you (somebody) needs to decide the 'stacking order' of the results.

    If I am in two groups A and B.

    A has XML permission Y and B has XML permission N... should I have permission or not?

    Some security 'theory' says I pick the first match for the resource I find in the list (yes or no).
    Some says if any say yes, then I get Y.
    Some says they need to be applied in a particular order (first A, then B)
    Some say 'least permission'... so if there are any N, pick N.
    Some say 'most permission'... so if there are any Y, pick Y.

    There is really only one 'answer' yes or no, but how you get there 'depends'.

    Plus, the sample I looked at had some fields set of NULL, some to Y, some to N.
    And the column is defined as TEXT, not just one character.. so there are a whole lot of other possibilities.

    Is NULL different from N?

    Must the field be Y and anything else means N?

    Comment


    • #3
      I am trying to fix the bug within Scriptcase
      I am not trying to determine their path, just trying to fix their logic

      If you look at their code in the validation success
      It doesn't take into consideration multiple groups

      If the permissions are Y in any of fields it turns the application on

      I have put debug in all of the code and the apps should be off
      When the menu comes up
      All the menu applications are available

      Comment


      • #4
        I think this is the problem... I am not sure what the 'right' answer should be.

        group_id app_name priv_access priv_insert priv_delete priv_update priv_export priv_print
        1 app_change_pswd Y N N N N N
        2 app_change_pswd N N N N N N

        If the user is a member of group 1 and group 2

        Should they have access to app_change_pswd or not? (and why?).
        Their current logic says that if there is a Y in any column, then the application needs to be enabled (which makes sense.. that is the only way they can get to the part of the application they have permission to).

        A potential problem is that at least with MYSQL, without an ORDER BY clause, the DB is free to return the rows in any order it feels like it. So, one time might get group 2 first, then group 1.. so you would end up with 'Y'.. other times it might return group 1, then group 2.. so you would end up with 'N'.

        But I believe that their logic is right. If there is a Y in any column, then the user needs to be able to get at the app, and the app needs to show/hide buttons depending on which permissions were set.

        Comment


        • #5
          That is correct
          That us why the code needs to select distinct records

          $sql = "SELECT
          app_name,
          ifnull(max(priv_access), 'N') as priv_access,
          ifnull(max(priv_insert),'N') as priv_insert,
          ifnull(max(priv_delete),'N') as priv_delete,
          ifnull(max(priv_update),'N') as priv_update,
          ifnull(max(priv_export),'N') as priv_export,
          ifnull(max(priv_print),'N') as priv_print
          FROM news_sec_groups_apps
          WHERE group_id IN
          (SELECT
          group_id
          FROM
          news_sec_users_groups
          WHERE
          login = '". [usr_login] ."') group by app_name";

          This works
          The menu is not for some reason not
          displaying it as the code says to

          Comment


          • #6
            There has been a notice somewhere that the menu is not working with the security model in 7. I have a working model in 7, but I don't know if my situation is comparable as I use my own security model. The most advanced generated model is very complicated to end-users and admins with the enormous amounts of checkboxes. I like to separate my users to 'roles' and apply security on those roles.
            Albert Drent
            aducom software netherlands
            scriptcase partner, reseller, support and (turn-key) development
            www.scriptcase.eu / www.scriptcase.nl

            Comment


            • #7
              Yea
              This is all dealing with ver 6

              Comment


              • #8
                Well..
                as Roseann Rosanadana said... Nevermind...
                It works perfectly if you turn on security and password in the MYSETTINGS..

                At least we can now add multiple groups to users with changing the sql in the login...

                Kev

                Comment


                • #9
                  what the hack is that..., do we have to fix that security as well, I'm getting this issue with the ver 7.
                  Website Design

                  Comment


                  • #10
                    Yea,
                    And your donations for my time and effort are welcome

                    Comment


                    • #11
                      I'm still have problem with multiple groups,
                      is there any easy sensible solution so, I can fix by myself.

                      please help us
                      thanks
                      Website Design

                      Comment


                      • #12
                        did you follow the instructions that i put in the fix in this post?
                        If so then what is the problem?

                        Kevin

                        Comment


                        • #13
                          yes Kevin, after post this threat, I follow the instruction, sound looks its working, but...
                          I don't feel satisfaction, might it will go wrong after... I make live application on production environment.

                          what do you think about... please advice...
                          but its working now...
                          Website Design

                          Comment


                          • #14
                            As long as you don't recreate the security module
                            It will not revert
                            The coding will stay

                            Kevin

                            Comment


                            • #15
                              Thanks Kevin,

                              its working fine now... I will keep your advice for future updates.

                              thanks again.
                              Website Design

                              Comment

                              Working...
                              X