Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Permissions - Profile: Edit not working as expected

meshugymeshugy Musician/Hacker ✭✭
edited January 2014 in Vanilla 2.0 - 2.8

I'm not sure if I've discovered a bug or if I don't understand how the profile permissions works. I tried setting one of my roles so that the Profile "Edit" box is not checked but the "View" button is checked (see attachment.) I figured this configuration would allow users to view their profile but not edit it. However, even with the "Edit" box unchecked, profiles are still able to be edited by users assigned to this role.

If I uncheck the "View" the box is does prevent the user from viewing the profile. However, the "Edit" box seems to have no impact. Can anyone shed some light on this?

I'm using Vanilla 2.12b and the profile extender is active.

Comments

  • peregrineperegrine MVP
    edited January 2014

    if you want to change the edit behavior

    change at line 301 in 
    applications/dashboard/controllers/classprofilecontroller.php
    
        change
           $this->Permission('Garden.SignIn.Allow');
    
        to
              $this->Permission('Garden.Profiles.Edit');
    

    for preferences the same thing at line... 745

    removing picture by signin allow. change if you want at 905

    currently alot is controlled by signin allow and not as you @meshugy expect.

    BTW, did you check github if issue was filed. since you are using vanilla 2.1b2, you are by defacto a developer and it is assumed you do this and file github issues.

    activity is controlled by profile view.

    showing activities can be controlled for all via

    $Configuration['Garden']['Profile']['ShowActivities'] = FALSE;


    Since i have no idea if this was the plan or an overlook hard to tell if it is a bug or not.

    @Todd

    also NON-role-based miscellaneous config settings.


         in config.php
    
        editing pictures controlled by anyone 
    
            $Configuration['Garden']['Profile']['EditPhotos'] = FALSE;
    
            usernames by anyone
    
            $Configuration['Garden']['Profile']['EditUsernames'] = FALSE;
    
        editing email by anyone
    
        $Configuration['Garden']['Profile']['EditEmails'] = FALSE;
    
    activity is controlled by profile view.
    
    showing activities can also be controlled for all via config for non-role based
    
    $Configuration['Garden']['Profile']['ShowActivities'] = FALSE;
    

    if logged in user tries edit another users profile controlled by this.
    
      Garden Users Edit  checkbox in dashboard permissions for role.
    

    otherwise controlled by

    Signin allow checkbox in dashboard permissions for role.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • ShadowdareShadowdare r_j MVP
    edited January 2014

    IIRC, users are able to edit their own profiles even if the Garden.Profiles.Edit permission is disabled, because that permission is for allowing users to edit other users' profiles.

    If this is how it works, then it's similar to how the Vanilla.Discussions.Edit permission works in that it allows users to edit other users' discussions. Revoking the permission doesn't affect the ability to edit their own discussions besides the edit time limit setting.

    It's possible to redirect users on certain pages who don't have a specific permission or are in a specific role with a plugin.

    Add Pages to Vanilla with the Basic Pages app

  • peregrineperegrine MVP
    edited January 2014

    I think you are partially correct shadowdare.

    Users are able to edit their own profiles even if the Garden.Profiles.Edit permission is disabled, because that permission is for allowing users to edit other users' profiles.

    it may be the intent but that is not the case.

    I'm not so sure.

    Much of the control affecting others profiles could easily be controlled by
    Garden.Users.Edit

    The profilecontroller has various inconsistencies as to what you can do vs. what you can't do.

    e.g.
    setting a picture and thumbnail seems to be controlled via
    // Permission checks
    $this->Permission('Garden.Profiles.Edit');

    not much else.

    the whole controller needs to be gone through with a fine-tooth comb me thinks.

    but a plugin add a tighter control would be the best scenario as you say to fine tune permissions with some of the inconsistencies fixed, so it edit acts the same manner in the garden.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • meshugymeshugy Musician/Hacker ✭✭

    @peregrine thanks, your suggestion worked perfectly. :)

  • @meshugy said:
    peregrine thanks, your suggestion worked perfectly. :)

    Before I get hit with a frying pan.
    Thanks, but i want to point out that modifying the core and changing permissions is not a great idea. I was more pointing it out if you wanted to post on github or if Todd had comments.
    It's also a double-edged sword - while you restricted abilities to edit, etc for users with non-profile edit privs. At the same time you may have also unwittingly opened up privs for people who are not admins that now do have profile edit privs in their role.

    So bottom line - avoid, but test test test everything if you do give a role besides admin with profile edit privs.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • meshugymeshugy Musician/Hacker ✭✭

    @peregrine thanks for the advice....I figured there may be some serious implications in making a change like that so I went through and checked everything pretty thoroughly. Seems OK....

  • it may be good now, but if they alter what

    Permission('Garden.Profiles.Edit'); does next version you may have something completely different.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • meshugymeshugy Musician/Hacker ✭✭

    @peregrine I changed them back. If I continue to explore this option, I'll see if I can find a safer way to do it. thanks...

Sign In or Register to comment.