I changed the code as follows to gain the proper functionality:
$isAdmin = ($DB->query("SELECT member_id FROM exp_members where member_id = " . ($TMPL->fetch_param('member_id') ? $TMPL->fetch_param('member_id') : $SESS->userdata['member_id']) . " AND group_id = 1;")->num_rows > 0); $cond['approved'] = ( $query->num_rows > 0 OR $isAdmin); $cond['not_approved'] = !($cond['approved']);
//note: $query->num_rows refers to a query found earlier in the code, not to the query in this snippet.
This is pretty frustrating to have the most fundamental features of the module not working properly, especially considering this is a commercial solution.
Daryl, thank you for your feedback and for filing such good bug reports (and fixes, too!). I have invited the lead programmer to comment and am currently awaiting his answer.
daryl, Permission is Mitchell’s project, but he is away on his honeymoon until later this month. In the meantime, I went ahead and took a look at the code for the “check” method. The reason the original code didn’t work is on line 1781. Change this:
if ( $member_id = $TMPL->fetch_param('member_id') )
The original line 1781 would always evaluate to false if the member_id parameter was passed, so instead of checking for a specified member, it would always check against the current user.
regardless of the truth value of ($query->num_rows > 0), the conditional will be true if the currently logged in user is a superadmin ($SESS->userdata[’group_id’] == 1). My fix is still correct.
I believe that’s the intended functionality. If you’re a superadmin, you should be able to see the content no matter what. I’ll have to double-check with Mitchell on that, but I won’t get the answer until late this month.
I believe that’s the intended functionality. If you’re a superadmin, you should be able to see the content no matter what. I’ll have to double-check with Mitchell on that, but I won’t get the answer until late this month.
Not according to the documentation. Yes, a superadmin should always be able to access content, but thats why you check the actual member-id. Its important when creating a permission management page that the admin be able to differentiate between those who are authorized and those who are not.
When you test a user-id against a permission point, you should get the same result no matter who is logged in.
Where in the documentation is the check method used in a permissions management page? The docs only say to use the check method to “Wrap the contents of your templates inside the check function to control access to those contents.” It looks like the member_list method would be used in a member management page.
I’m not saying your fix is incorrect, especially since it seems you’re using the check method in an unsupported way according to the docs. All I’m saying is those two lines appear to be correct according to the docs.
The ‘member_id’ parameter allows you to check the permissions of a specific member. The default is to check the permissions of the currently logged in member viewing the page.
Meaning, that if a member_id is not specified, the currently logged in user is checked. If it is provided, the member_id is checked.
One question on your line 1781. Won’t that always evaluate to false? Unless you rewrote the earlier check for $SESS->userdata[’member_id’] == 0 in the check method too. If you did, can you show me your entire check code?
Mitchell will be interested to see your many fixes/code improvements to the code.
($SESS->userdata[’member_id’] == 0) is true if the user is not logged in.
($member_id = $TMPL->fetch_param(’member_id’)) is true if a member_id has been passed
so my if ( $SESS->userdata[’member_id’] == 0 && !($member_id = $TMPL->fetch_param(’member_id’)))
if (<user is not logged in> AND <no member_id is provided>) { $cond['approved'] = FALSE; $cond['not_approved'] = TRUE; }
Is that line 1751 or 1781? It looks more like 1751, but that would mean a person who isn’t logged in could see the content by passing along a permitted member_id in the URL.
All my questions would be answered if you could show me your entire check method code. I’m sure you’ve thought this out, but it’s confusing the hell out of me without seeing the rest of your code.
// ------------------------------------------- // Fetch permission id // -------------------------------------------
$query = $DB->query( $sql );
// ------------------------------------------- // Set conditionals // ------------------------------------------- //drch edit //function was improperly checking the currently logged in user for admin rights, when it should have been testing the //checked user. $isAdmin = ($DB->query("SELECT member_id FROM exp_members where member_id = " . ($TMPL->fetch_param('member_id') ? $TMPL->fetch_param('member_id') : $SESS->userdata['member_id']) . " AND group_id = 1;")->num_rows > 0); // $cond['approved'] = ( $query->num_rows > 0 OR $SESS->userdata['group_id'] == '1' ) ? TRUE: FALSE; // $cond['not_approved'] = ( $query->num_rows > 0 OR $SESS->userdata['group_id'] == '1' ) ? FALSE: TRUE; $cond['approved'] = ( $query->num_rows > 0 OR $isAdmin); $cond['not_approved'] = !($cond['approved']);
