Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Update permissions

Hi,

I've been looking class.updatemodel.php and I haven't found anything about permissions; I wasn't sure aobut it because I am quite new to vanilla and php so I gave it a try.

I created an user (normal user, not admin) on mi forum, logged with new account and tried "/index.php?p=/utility/update". It was a success.

Shouldn't be this option allow only to admin?

PD: sorry for my english :blush:

Comments

  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited July 2014

    That is an excellent question !! Thanks for asking. I would think that running utility update or utility structure would only be allowed for admin.

    But it does not give user access to anything if they run it. And they would need to be in the dashboard to be able to run utility structure for the data base in case it needed to be fixed.

    Anyone can run utility update on any forum, I just ran it here... Not sure what could be detrimental if people start running it on other people's forums...

  • Options
    peregrineperegrine MVP
    edited July 2014

    The whole reason for update and structure is when your database is not up to date. which could mean any and all tables are not structured properly or up to date. This could include roles and permission tables as well.

    vrijvlinder said: And they would need to be in the dashboard to be able to run utility structure for the data base in case it needed to be fixed.

    e.g. On one of my clone updates, I couldn't log in as admin, until I ran utility structure or utility update. and it has nothing to do with whether you are currently viewing dashboard or not, as far as I know, but I am open to being corrected.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    No I failed to explain that,I meant to click the buttons in the dashboard when there is something to fix assuming you are already in the dashboard to click the repair db button that appears when you run utility structure if repair is needed

  • Options
    hgtonighthgtonight ∞ · New MVP

    /utility/structure requires the 'Garden.Settings.Manage' permission.

    /utility/update only requires the 'Garden.Settings.Manage' permission if the flood control gets triggered. This might not be intentional.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

Sign In or Register to comment.