close ad
Install the LAtest Updates to Work with CC 2017 and CC 2018
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Security levels not working

Thread began 5/30/2013 9:58 pm by mrs | Last modified 6/03/2013 2:16 pm by Jason Byrnes | 488 views | 12 replies |

mrs

Security levels not working

There was an interactive tutorial on your old site by Mark Jones (I think that was his name) for creating multiple level access with security assist. Where has it gone?

Anyways, I have built an admin log in using security assist, and I have then created a CRUD system for master admins to add lower level admins. I have tested the pages with the bog standard 'Logged in to tbl_admin' settings and all works fine apart from the fact that any admin has access to these pages. I then went about creating admin levels, and applied them, but they failed to check if I was logged in or not and let me straight into the admin area.

I have used the Access Rules Manager to edit and create access group levels:

Logged in to tbl_admin (levels of 3, 2 and 1)
Logged in to tbl_admin Power Admin Users (levels of 3 and 2)
Logged in to tbl_admin Master Admin Users (levels of 3 only)

None of these are working... I just go straight into the admin and am free to edit without ever signing in.

What I've noticed is that the code on the login.php seems to refer to the unique column (fld_adminID) rather than the access column (fld_adminACTIVE).

"sessionColumns" => explode($WA_Auth_Separator,"fld_adminID"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminID"),

I've changed the code where I can see it to refer to the access column of the DB (fld_adminACTIVE), and I have tried to rename the session name to SecurityAssist_fld_adminACTIVE, but now I am locked out of the admin even though I know I am entering the correct log in details! I've now changed the code back from ACTIVE to ID. I found the code in the helpergroupsrulesphp.php and login.php.

Within the Access Rules Manager, the default settings produced by Security Assist is:

Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminID']; ?>
Crteria: <>
Compare to: '' (field left empty)

And I changed it to:

Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminACTIVE']; ?>
Crteria: In group
Compare to: Logged in to tbl_admin

What am I doing wrong? What do I need to change? During the wizard process, what do I set to ensure the security is checking against the level rather than the unique record ID?

I've attached zip of the admin section with my levels in, but some code somewhere is still wrong... unless I have approached this entirely incorrectly!

Sign in to reply to this post

Jason ByrnesWebAssist

The wizard cannot be configured to create user level authentication, that needs to be done manually.

Your approach is correct, the problem is that you have entered an empty member of each of the groups.


if you look in the webassist/security_assist/helpergrouprules,php file, the code for the groups is:

php:
function WA_Auth_GetGroup($groupName){

    $group = Array();
    
                switch ($groupName){
        case "All Admin Users":
            $group = array("1","2","3","");
            break;
        case "Master Admin Users":
            $group = array("3","");
            break;
        case "Power Admin Users":
            $group = array("2","3","");
            break;
    }
    return $group;
}



each one of the groups contains an empty member for example:

php:
$group = array("1","2","3","");



should be:

php:
$group = array("1","2","3");



having an empty member like this will allow access if the session is not set, i.e not logged in.

Sign in to reply to this post

mrs

Aah... do you know, I looked at them and removed them too, but I tested them after I have changed the fld_adminID to fld_adminACTIVE and that's when I thought: "You know, I've tried but I need some help now!"

Thanks Jason.

I'll give it a go and come back if I need further help.

Sign in to reply to this post

mrs

Removing that blank option deosn't make the code work properly. Basically, I have just created a user in the admin table with an access level of '0'. In the access levels, I have only used 1, 2 and 3, so by default I would expect 0 to be kicked out of the admin. I have tried adding a user without any access levels i.e: NULL, and that is kicked out, so something is referring to the fld_adminACTIVE field.

So, what's wrong with this still? Is it because the behaviour is looking at the ID field instead of the ACTIVE access level field?

I am assuming that I have set the access rules and groups up correctly. Do I need to add restrict if rule to the current settings I have?

Thanks

Sign in to reply to this post

Jason ByrnesWebAssist

I'll need to troubleshoot directly, see the private message section.

Sign in to reply to this post

mrs

Details provided

Sign in to reply to this post

Jason ByrnesWebAssist

Originally Said By: mrs
  Details provided  
Sign in to reply to this post

mrs

master.php should only allow one admin level, power.php should allow two admin levels. I can't get in to master.php at all regardless of how I've signed in, and power.php doesn't seem to matter what level I sign in with.

master.php is set to 3 (Logged in to tbl_admin Master Admin Users - in group Master admin users)
power.php is set to 2 and 3 (Logged in to tbl_admin Power Admin Users - in group Power admin users)
all pages with admin in the name are now set to 1, 2 and 3 (Logged in to tbl_admin - in group All admin users)

The admin-named pages were set to Power Admin Users, but all administrators could view them regardless of their access level. I have changed it so it's should be easier for you to trouble shoot, or at least I assume it will be easier.

Thanks.

Sign in to reply to this post

Jason ByrnesWebAssist

On your pages on the server, the column you are storing in the session is fld_adminID and the session name is SecurityAssist_fld_adminID

YOu should be using the fld_adminACTIVE column in the session.


the fld_adminID column stores the Primary key value, not the grpoup level.

when the user Matthew logs in, the session value is 1 so is not considered a Master Admin.

Sign in to reply to this post

mrs

Ah, I thought so. So, where do I set that up in the security assist wizard?

In the database settings, I have the menu User ID to select which user is being used to detect the unique user id for password reminders and user updates, but it doesn't work for the session setting requirement of the security levels.

Perhaps a user level column choice is something that could be added to the wishlist for the next version of security assist.

UPDATE:

So, just to be sure, because I am only using the login and logout pages, if I change the following:

"sessionColumns" => explode($WA_Auth_Separator,"fld_adminID"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminID"),
to
"sessionColumns" => explode($WA_Auth_Separator,"fld_adminACTIVE"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminACTIVE"),

and change SecurityAssist_fld_adminID to SecurityAssist_fld_adminACTIVE anywhere else it occurs, then my problem should be fixed. Is this going to break any functionality elsewhere?

Thanks

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...