View Issue Details

IDProjectCategoryView StatusLast Update
0005732OXID eShop (all versions)2.5. Administer userspublic2014-07-07 16:11
Reportermichael_keiluweit 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionwon't fix 
Product Version4.8.4 / 5.1.4 
Target Version4.7.13 / 5.0.13Fixed in Version 
Summary0005732: RR - Hiding prices with rights and roles aren't working for normal users
DescriptionA role which has the option "SHOWARTICLEPRICE" active, doesn't work for normal users (not admins or not registered users). The prices will be displayed always.

Even if all the other options are checked and only "SHOWARTICLEPRICE" is no activated it doesn't works.

But if you do a logout, the prices are gone, also for the administration users.

To foreclose that my session cause the problem, I deleted all cookies for that domain and cleaned the shop folder tmp/
Steps To Reproduce1. Administer Users
2. ->shop roles
3. check active, give it a name
4. assign all user groups
5. check "SHOWARTICLEPRICE"
6. and after that, create a test user and log in
7. you will see the prices at the frontend

and in case I'm wrong with the checkboxes

8. uncheck SHOWARTICLEPRICE and check all the other ones. Clean up all the session stuff. I didn't get the result which I expected in this case, too.
Additional InformationTested it with latest version (demoshop).
And testet it with 5.0.9 (there I checked the source code and got the following queries [\oxRights::_loadRights()]):


For not registered users / not logged in, the shop executes this SQL query:

SELECT oxrolefields.oxname, oxrolefields.oxparam FROM oxroles LEFT JOIN oxfieldrole ON oxroles.oxid = oxfieldrole.oxroleid LEFT JOIN oxrolefields ON oxrolefields.oxid = oxfieldrole.oxfieldid LEFT JOIN oxobjectrights ON oxobjectrights.oxobjectid = oxroles.oxid WHERE oxroles.oxarea = AND oxroles.oxactive = AND oxroles.oxshopid = AND oxobjectrights.oxobjectid IS NOT NULL GROUP BY oxrolefields.oxid;

result for OXNAME: SHOWARTICLEPRICE



For logged in users (which are not admins):


SELECT oxrolefields.oxname, oxrolefields.oxparam FROM oxroles LEFT JOIN oxfield2role ON oxroles.oxid = oxfield2role.oxroleid LEFT JOIN oxrolefields ON oxrolefields.oxid = oxfield2role.oxfieldid LEFT JOIN oxobjectrights ON oxobjectrights.oxobjectid = oxroles.oxid WHERE oxroles.oxarea =1 AND oxroles.oxactive =1 AND oxroles.oxshopid = 1 AND oxobjectrights.oxobjectid IS NOT NULL GROUP BY oxrolefields.oxid;


And


SELECT oxrolefields.oxname, oxrolefields.oxparam FROM oxroles LEFT JOIN oxfield2role ON oxroles.oxid = oxfield2role.oxroleid LEFT JOIN oxrolefields ON oxrolefields.oxid = oxfield2role.oxfieldid LEFT JOIN oxobjectrights ON oxobjectrights.oxobjectid = oxroles.oxid WHERE oxroles.oxarea =1 AND oxroles.oxactive =1 AND oxroles.oxshopid = 1 AND oxobjectrights.oxobjectid IS NOT NULL AND ( SELECT 1 FROM oxroles LEFT JOIN oxfield2role ON oxroles.oxid = oxfield2role.oxroleid LEFT JOIN oxobjectrights ON oxobjectrights.oxobjectid = oxroles.oxid WHERE oxrolefields.oxid = oxfield2role.oxfieldid AND oxroles.oxarea = 1 AND oxroles.oxactive = 1 AND oxroles.oxshopid = 1 AND oxobjectrights.oxid IS NOT NULL AND ( ( oxobjectrights.oxgroupidx & 32800 and oxobjectrights.oxoffset = 0 ) ) LIMIT 1 ) IS NULL GROUP BY oxrolefields.oxid;


result for OXNAME: NULL



I also noticed that the method \oxRights::_loadRights() is called twice for logged in users (maybe for admins too?)
TagsNo tags attached.
ThemeAzure
BrowserAll
PHP Versionany
MySQL Versionany

Activities

svetlana

2014-04-15 16:20

reporter   ~0009839

reproduce this issue even on 5.0.2 version

aurimas.gladutis

2014-07-07 15:05

reporter   ~0009997

Hi, this is how shop roles work:
if you check SHOWARTICLEPRICE and assign lets say "powershopper" group to it, only powershoppers will see the prices, all other groups will not.
If the checkbox is not checked - everyone will see the prices.

Now when you assign all the groups, basically everyone except not logged in users will see the prices when the checkbox is checked.