View Issue Details

IDProjectCategoryView StatusLast Update
0001117OXID eShop (all versions)2.5. Administer userspublic2012-12-10 13:15
ReporterMoehlis Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.1.3 revision 19918 
Fixed in Version4.1.4 revision 21266 
Summary0001117: admin has no delete right but delete button is displayed
DescriptionAffects all backend lists.
If a admin has no right to delete items, the delete button is not removed.

Source of this tiny error seemy to be oxubase:canDo():
        $oRights = $this->getRights();
        if ( $this->isAdmin() || !$oRights ) {
            return true;
        }
When calling the delete function, canDelete() is used to determine the user right, this works fine so user cannot delete anything.

So some buttons (to delete item, or insert new one) are still displayed in the interface thought the admin user has no permissions to do that. But when clicking on these buttons - nothing happens (items are not deleted, nor inserted).
For fix - is user has no rights to do some action - make sure that buttons for those actions are not even displayed in the interface.
TagsRights & Roles
Theme
BrowserAll
PHP Version5.2.6
Database Version5.0.33

Activities

birute_meilutyte

2009-07-28 09:37

reporter   ~0001286

description how to reproduce the bug:
Admin -> Administer users -> Admin roles -> Objects
there are possibility to set (I)nsert, (X)Delete for product and category. Mark checkbox I for category and checkbox X for product. this means, admin with this role will be able to create categories (but not to delete them) and to delete products (but not to create them).
login to admin with this specific admin and go to product list. both buttons for creating new product and deleting it appears. however, if user tries to create new product, nothing hapens. product is not created and now message is displayed why. then go to categories. both buttons for creating and deleting category are visible again. try to create new category -> its ok. try to delete same category -> after confirming deletion nothing happens. category still exist and no message why it was not deleted is shown.

dainius.bigelis

2009-07-28 09:46

reporter   ~0001287

Reminder sent to: Moehlis

Description of the bug was changed as admin user still cannot harm the data, only buttons are displayed (what shouldn't be).

arvydas_vapsva

2009-07-28 15:33

reporter   ~0001305

fixed