Self Promotion - ACL

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
13 years ago
toddgdaugherty wrote:
This post seems to be getting off topic.  rupreck has a very legitimate concern here that I just discovered as well.  That is how I found this post.  A lower level staff member with access to manage customers can completely lock out any and all Global administrators and then self promote themselves to Global administrator.  

For a temporary fix, is it possible to only allow access to the "Customer Roles" tab in Customer Details (administration/CustomerDetails.aspx) for administrators with the "Manage Customer Roles" privilege checked in the Access Control List? Or, more realistically, remove this tab for administrators without this privilege.



Wondering if this issue got resolved and what the solution was.  toddg, I agree with you.
Please advise if you have come across a solution.  I need staff members to grant/deny access to their customers but not become global admin themselves.
0
13 years ago
Preventing a user from Self Promoting to Global Admin when allowed to manage customer roles:

My "workaround" for 1.7 in CustomerManager.cs / GetAllCustomerRoles()

            var context = ObjectContextHelper.CurrentObjectContext;
            var query = from cr in context.CustomerRoles
                        orderby cr.Name
                        where (showHidden || cr.Active) && !cr.Deleted && cr.CustomerRoleId>1
                        select cr;
            var customerRoles = query.ToList();

This way the Global Administrator role is not visible to those given the ability to control customer roles... thus prohibit a user to self promote to global admin.

Or was there another solution that I missed from other posts?
0
13 years ago
This problem really needs a solution implemented; I am very surprised this isn't covered by the ACL system considering how fundamental the feature is.
0
13 years ago
add your vote

http://nopcommerce.codeplex.com/workitem/9454
0
13 years ago
Maybe this problem can be solved if in the Administration "Manage Customers" into two:
1) "Manage Customers and Administrators" wit  same privileges as present "Manage Customers" which will be only accesible to Global/Super Administrators
2) "Manage Customers" which may not have have acces to those customers marked as IsAdministrator=True. Better if this option does not have access to change IsAdministrator status
Regards

Eduardo

www.tecnofin.com
nopCommerce Solution Partner
-----------------------------------------------------------
Developer of e-Commerce sites since 1996
Mexico - USA - Latinoamérica
Desarrollo de sitios de comercio electrónico
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.