Bug #778
closed
All logged in users can still access various administrator pages by typing in its complete url
Added by Anchi Cheng over 14 years ago.
Updated about 14 years ago.
Affected Version:
Appion/Leginon 2.0.2
Description
Need to redirect if no privilege to view it and remove editing ability if not administrator
- Status changed from Assigned to In Code Review
- Assignee changed from Anchi Cheng to Eric Hou
- Priority changed from High to Normal
- % Done changed from 0 to 100
fix with r14557. Because groups, instruments, applications editing affects all users. They require level 4 privilege in "groups" to edit. I also did it in the same way for adduser.php because even power user should not change someone else's user profiles. I have taken care of these in revertsettings.php before.
goniometer.php which also found in admin.php side-bar is a view-only page so it just need to check if the user is logged in.
might be possible to move is_logged into admin.inc now that all of them need to do it.
- Status changed from In Code Review to In Test
- Assignee changed from Eric Hou to Amber Herold
- Assignee changed from Amber Herold to Anchi Cheng
http://fly/myamiweb/user.php allows anonymous user to view (but not edit) all users. Do we want people who don't even have a login to have access to all of our users names, emails, addresses, and phone numbers?
- Assignee changed from Anchi Cheng to Amber Herold
Did more refinement on page access in r14701, including remove access to users.php page to guest group to which anonymous user belongs. Currently,
Administration group: view and edit everything.
Power user: deny addusers.php. addinstrument.php, addapps.php, deny editing on users.php, deny revertsettings.php on users other than him/herself.
User group: also deny access on users.php in addition to restriction on Power user.
Guest group: also deny access on revertsettings.php, goniometer.php
- Status changed from In Test to Closed
Also available in: Atom
PDF