Jump to content

Employee groups module permissions problem

TheDrotX

By TheDrotX
in Core developers

 Share

Recommended Posts

TheDrotX Newbie

TheDrotX

Posted
Posted (edited)

I noticed this while setting permissions for an employee group. PrestaShop ver. 1.6.1.7.

I'm trying to have this specific group to have permissions to View, Add, Edit/Configure but not Delete or Uninstall modules because I don't want this group to be able to delete module DB tables and data.

 

Example for productcomments module:

For AdminModules tab I unchecked Delete permission and for productcomments I unchecked Uninstall permission.

 

Group cannot delete module - OK.

Group cannot uninstall module - OK.

Group CAN reset module which uninstalls and reinstalls it because it has Configure permission, which resets all permissions for the module. And all the comments from DB with it.

Yes it gives you the option to keep data but still I don't want this group to be able remove DB tables and their data.

 

AdminModulesController.php

public function postProcessReset()
{
    if ($this->tabAccess['edit'] === '1') {
        $module = Module::getInstanceByName(Tools::getValue('module_name'));
        if (Validate::isLoadedObject($module)) {

            /* Shouldn't this check for uninstall permission ? */

            if (!$module->getPermission('configure')) {
                $this->errors[] = Tools::displayError('You do not have the permission to use this module.');
If the group has View access on AdminModules, the group gets all permissions for this module.

 

Module.php

// Permissions management
Db::getInstance()->execute('
    INSERT INTO `'._DB_PREFIX_.'module_access` (`id_profile`, `id_module`, `view`, `configure`, `uninstall`) (
        SELECT id_profile, '.(int)$this->id.', 1, 1, 1
        FROM '._DB_PREFIX_.'access a
        WHERE id_tab = (
            SELECT `id_tab` FROM '._DB_PREFIX_.'tab
            WHERE class_name = \'AdminModules\' LIMIT 1)
        AND a.`view` = 1)');

Db::getInstance()->execute('
    INSERT INTO `'._DB_PREFIX_.'module_access` (`id_profile`, `id_module`, `view`, `configure`, `uninstall`) (
        SELECT id_profile, '.(int)$this->id.', 1, 0, 0
        FROM '._DB_PREFIX_.'access a
        WHERE id_tab = (
            SELECT `id_tab` FROM '._DB_PREFIX_.'tab
            WHERE class_name = \'AdminModules\' LIMIT 1)
        AND a.`view` = 0)');
Is there a reason why permissions are being installed with default values instead of using values from AdminModules tab access 'view', 'edit' and 'delete'?

 

I can fix these things with custom module but I'm just wondering if is this a bug or is it meant to be like this?

Edited by TheDrotX (see edit history)
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...