Bug #778
closedAll logged in users can still access various administrator pages by typing in its complete url
100%
Description
Need to redirect if no privilege to view it and remove editing ability if not administrator
Updated by Anchi Cheng almost 14 years ago
- Status changed from Assigned to In Code Review
- Assignee changed from Anchi Cheng to Eric Hou
- Priority changed from High to Normal
- % Done changed from 0 to 100
fix with r14557. Because groups, instruments, applications editing affects all users. They require level 4 privilege in "groups" to edit. I also did it in the same way for adduser.php because even power user should not change someone else's user profiles. I have taken care of these in revertsettings.php before.
goniometer.php which also found in admin.php side-bar is a view-only page so it just need to check if the user is logged in.
might be possible to move is_logged into admin.inc now that all of them need to do it.
Updated by Eric Hou almost 14 years ago
- Status changed from In Code Review to In Test
Updated by Eric Hou almost 14 years ago
- Assignee changed from Eric Hou to Amber Herold
Updated by Amber Herold over 13 years ago
- Assignee changed from Amber Herold to Anchi Cheng
http://fly/myamiweb/user.php allows anonymous user to view (but not edit) all users. Do we want people who don't even have a login to have access to all of our users names, emails, addresses, and phone numbers?
Updated by Anchi Cheng over 13 years ago
- Assignee changed from Anchi Cheng to Amber Herold
Did more refinement on page access in r14701, including remove access to users.php page to guest group to which anonymous user belongs. Currently,
Administration group: view and edit everything.
Power user: deny addusers.php. addinstrument.php, addapps.php, deny editing on users.php, deny revertsettings.php on users other than him/herself.
User group: also deny access on users.php in addition to restriction on Power user.
Guest group: also deny access on revertsettings.php, goniometer.php