I edited the site map to restrict access to the “Customer Roles” dropdown to Administrators only and that works but the issue is the customers created “Test Customer” with a role of “TestSales” still has access to change role, other user roles and view other available roles. The only permission not allowed is Administrator but still able to change other roles with other permissions. Admin area.Manage ACL is also unchecked. Steps listed below:
Sorry if it’s confusing.
1. Access "Customer Roles" with Administrator role 2. Create Customer Role "TestSales" 3. Access "Access Control List" with Administrator role 4. Give "TestSales" access to "Access admin area: Manage Current Carts, Manage Customers, Manage Discounts" 5. Give "TestSales" access to all "Public store permissions" 6. Save 7. Create Customer "Test Customer" and give role of "TestSales" then save. 7. Logout of Administrator role 8. Login as "Test Customer" 9. Access Customer roles, change customer roles of “TestSales” to roles with some and all permissions. Change other users permissions. 10. Only role not available is Administrator but roles with all the same permissions are available.
That's right. It's by design. We do no validation only for Administrator only. It'' snot possible to validate other roles with same permissions.
Even if lets say created Role1 has 4 permissions + the manage customers and Role2 has 15 permissions + manage customers there is nothing stopping Role1 from adding Role2 to his permissions?
aladino wrote:
By viewing the "Customer Roles" tab of a customer account in the administration area it is possible for any admin user to assign additional roles to their account, thus granting them all of the features enabled for those roles. This oversight completely invalidates the ACL system.
Found it in version 3.00 Under Access Control List "Admin area. Manage Customer Roles" Trying to add this code to 3.30 or just use 3.00. I like to option of not allowing them to change user roles but still have access to place a invoice order for a customer.
I think there's a flaw in the design, I want to grant permission for a user to add/remove other users, now this user can give himself permission to role2 and get access to a lot more features! This is really a security flaw! If roles were defined based on a hierarchy structure these problems could have been avoided.
I have a system with built in administrator. Now i had created another administrator for my commerce manager /store manager. but when i give access to Admin area. Manage Customer, that store manager is able to edit the super admin account, password and all details.
I think super administrator account can be edited by super admin only.
Is there any fix (or a plugin to fix) for this issue?
I need to give the store admin the ability to manage users but I cannot let him add himself to the Administrators group and play with other plugins/system configurations! It is a security requirement, I think.
I am on 4.1 version.
Thank you.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.