I am using 1.7 version of NopCommerce. I have an issue on security. On my website i have multiple administrator Level for controlling the these level i define multiple Customer roles and in Acces Control List give the acces to them. Lets take an example
1. I have customer [email protected] which is my customer and also a administrator of my website.
2. I create the Customer Role (A Zone Customer)
3. I Assign that role to [email protected] customer
4. In ACL i grant to access only see "Manage Orders".
If above customer login and using the adminsitration panel and if he using the administration panel throungh navigation menu then he cannot access the other things except Ordres. Like if he go to the product-->Manage products system not allow him to access but if he know the complete URL of along with the product id like below
http://localhost:1254/administration/ProductDetails.aspx?ProductId=776
then website allow hime to acces that particular page of product and he can change every thing.
Please help me how can i restrict the customer he can not acces these pages. Its Urgent
Thanks
Noman Mansoor
After Applying the ACL Can acces if i know the complete URL
- 179
- 1246
- 10/8/2010
- United States
Noman wrote:
1. I have customer [email protected] which is my customer and also a administrator of my website.
2. I create the Customer Role (A Zone Customer)
3. I Assign that role to [email protected] customer
4. In ACL i grant to access only see "Manage Orders".
If you are assigning same email id to both the roles then he can enjoy both the priveleges.
Try different id
1. I have customer [email protected] which is my customer and also a administrator of my website.
2. I create the Customer Role (A Zone Customer)
3. I Assign that role to [email protected] customer
4. In ACL i grant to access only see "Manage Orders".
If you are assigning same email id to both the roles then he can enjoy both the priveleges.
Try different id
Team Member
- 16618
- 155935
- 10/22/2008
- Armenia
Noman wrote:
Hi Noman,
It's not possible to visit product details page if you're not granted to do it. Open \NopCommerceStore\Administration\ProductDetails.aspx.cs file. It contains the following code:
It makes all required authorization
...but if he know the complete URL of along with the product id like below
http://localhost:1254/administration/ProductDetails.aspx?ProductId=776
http://localhost:1254/administration/ProductDetails.aspx?ProductId=776
Hi Noman,
It's not possible to visit product details page if you're not granted to do it. Open \NopCommerceStore\Administration\ProductDetails.aspx.cs file. It contains the following code:
protected override bool ValidatePageSecurity()
{
return this.ACLService.IsActionAllowed("ManageCatalog");
}
It makes all required authorization
Team Member
- 16618
- 155935
- 10/22/2008
- Armenia
Noman wrote:
No, it's not possible. A user will be redirected to 'access denied' page. Just try it on a clean installation
Your are absuletly right but user can see the detail page if he right the complete url. He can not change any thing but he see the all tab of that product page and see the information.
Thanks
Noman Mansoor
Thanks
Noman Mansoor
No, it's not possible. A user will be redirected to 'access denied' page. Just try it on a clean installation
- 6
- 30
- 7/18/2011
- Nepal
User roles assign doesn't take effect in nopcommerce 1.70 except global administrator and forum moderator. Please anyone with the idea why it's not working. i have enable the access control list under configuration menu and assigned role in customer manage but it's not working. why's that. i have ticked Is administrator in customer info too.