Login user can view other record which is not created by the same user

Login user can view other record which is not created by the same user

2 Monate 3 Tage her #9811 von Lee Chen

Hi everyone

I am wondering whether anyone has same problem as mine. The code below suppose if the user is Super User or login user id matches record created_by user id. However, if I changed the table id etc from 9 to 8 on the link /index.php/en/component/orders/order/9 to /index.php/en/component/orders/order/8 , where record 8 is not created by login user and still be able to view the record details.

if(empty($result) || $this->isAdminOrSuperUser() || $table->created_by == JFactory::getUser()->id){

}

any ideas?

many thanks.

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

1 Monat 3 Tage her #9814 von Glenn Arkell

Hi Lee,
You possibly have already solved this but just in case . . .
In the site/views/order/view.html.php file you can add an extra check here before the $this->_prepareDocument(); such as
if ((isset($this->item->created_by) && $this->item->created_by != $user->id) || $this->isAdminOrSuperUser()){
throw new Exception(Text::_('JERROR_ALERTNOAUTHOR'));
}
Hope this helps. Cheers.
Glenn

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Ladezeit der Seite: 0.161 Sekunden
Powered by Kunena Forum

Wir verwenden eigene Cookies und Cookies von Drittanbietern, um Ihr Nutzererlebnis zu verbessern und Ihnen einen optimalen Service zu bieten. Wenn Sie die Website weiter nutzen, gehen wir davon aus, dass Sie mit unserer Cookie-Politik einverstanden sind.