Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Setting page (not just category) permissions by role
judgej
✭
I have been playing with the PageManager plugin that allows me to change the tabs at the top of the page. I can display or hide system tabs, page content tabs, URLs, etc. on a per-role basis. However, the plugin does not seem to prevent a user accessing the underlying function if they know the URL.
For example, I do not want unauthenticated users to access the search function. I can hide the search tab from unauthenticated users, but they can still go directly to search.php and get access to all the search features. Either this is just happening to me, or it is a bug on the PageManager plugin that should be fixed, or a feature and I should be blocking access through some other screen.
Any suggestions as to what I can do about this?
I have noticed this is a recurrent feature of many of the plugins - the security concentrates on what navigation to show the user (depending on their role) but then does not apply the same security to the functions behind that navigation, so the 'security' can all be bypassed anyway.
-- Jason
Edit: The PageManager plugin *does* handle role-based security for its own pages well. I think it is just the system functions that it does not work with. So I could rephrase the question: how can I prevent users not in specific roles from accessing the search functions? The first line in search.php is this:
// Ensure the user is allowed to view this page
$Context->Session->Check($Context);
so I assume there is some way to disable access to it, but on a roles-basis?
For example, I do not want unauthenticated users to access the search function. I can hide the search tab from unauthenticated users, but they can still go directly to search.php and get access to all the search features. Either this is just happening to me, or it is a bug on the PageManager plugin that should be fixed, or a feature and I should be blocking access through some other screen.
Any suggestions as to what I can do about this?
I have noticed this is a recurrent feature of many of the plugins - the security concentrates on what navigation to show the user (depending on their role) but then does not apply the same security to the functions behind that navigation, so the 'security' can all be bypassed anyway.
-- Jason
Edit: The PageManager plugin *does* handle role-based security for its own pages well. I think it is just the system functions that it does not work with. So I could rephrase the question: how can I prevent users not in specific roles from accessing the search functions? The first line in search.php is this:
// Ensure the user is allowed to view this page
$Context->Session->Check($Context);
so I assume there is some way to disable access to it, but on a roles-basis?
0
This discussion has been closed.