ACL system allows admin users to add themselves to roles of greater seniority (2.50)

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Total Posts: 18
Karma: 140
Joined: 1/3/2013
Location: United States

Posted: 5 years ago

I would suggest modifying the CustomerRoleController.cs in admin and change every one of these lines:
if (!_permissionService.Authorize(StandardPermissionProvider.ManageCustomers))
to:
if (!_permissionService.Authorize(StandardPermissionProvider.ManageAcl))
Then you can use the Admin area. Manage ACL permission from within the Access control list area to limit user access. I think the permissions to manage the ACL go hand in hand with setting roles. Allowing anyone with Manage Customers rights to change users roles and therefore change their access privileges does not make sense.
Additionally, the CustomerController.cs would have to be modified to prevent roles from being added or changed when a customer record is added or edited, also using "if (!_permissionService.Authorize(StandardPermissionProvider.ManageAcl))". Allowing only the guest role here would make sense. If someone needs roles added they would have to have a user with ACL rights do it.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Still have questions or need help?

. Premium support services . Get dedicated support from the nopCommerce team with a guaranteed response within 24 hours.

. Online course for developers . Get the practical and technical skills you need to run and customize nopCommerce websites.