• From: Mexico, Toluca
  • Registered: 05/23/2010
  • Posts: 14

Topic: access levels to new modules / plugins

I had made a plugin but I have problems with access levels
FA version 2.2.8

I have read https://frontaccounting.com/fawiki/index.php?n=Devel.AccessControl

I have a module with access_levels.php with this:

define('SS_MEXCFD',    201<<8);
$security_sections[SS_MEXCFD] = _("MEXCFD (electronic invoices)");

$security_areas['SA_MEXCFD_SETUP'] = array(SS_MEXCFD|1, _("MEXCFD Connector Setup")) ;
$security_areas['SA_MEXCFD_NOTICES'] = array(SS_MEXCFD|2, _("MEXCFD Notices")) ;
/*
201<<8   => 1100100100000000 (51456)
201<<8|1 => 1100100100000001 (51457)
201<<8|2 => 1100100100000010 (51458)
*/

I try to enter my module, setting $page_security = 'SA_MEXCFD_SETUP';
And get an error abput "The security settings on your account do not permit you to access this function"

The role I'm using already have set the permission at Access Setup (I had logout & login again)

In the database the access is stored as 91136, 91236 and 91237

91136 => 10110010000000000
91236 => 10110010001100100
91237 => 10110010001100101

I have found this relation between the permission code (for SA_MEXCFD_SETUP) and the permission set by the access setup:

91236 & 51456 => 16384 => 100000000000000

I don't know if this is the normal behavior or what I have to do in order to use the permission I'm setting in  $page_security

I have check also the file current_user.php and the step where it return false is this:

return $code && in_array($code, $this->role_set) && ($this->company == 0 || (($code&~0xff) != SS_SADMIN));
$code = 51457;
in_array($code, $this->role_set) => this return false
$this->role_set contains 91236 instead of 51457;

Could you please advise about this ? Thanks in advance !!

  • From: Mexico, Toluca
  • Registered: 05/23/2010
  • Posts: 14

Re: access levels to new modules / plugins

I've have added manually to the database the permissions.
security_roles.sections <= added ";51456"
security_roles.areas, <= added ";51457;51458"

The message about "The security settings on your account do not permit you to access this function" now disappears, so, there is maybe a bug in the Access Setup (/admin/security_roles.php) that store the value adding 16384 => 100000000000000.

Please advise.

  • Registered: 12/25/2007
  • Posts: 2,447

Re: access levels to new modules / plugins

Seems you have  found a bug. I guess it is related to mixed signed/unsigned logic used in access functions, and will be fixed asap. In mean time you can use 100 instead 201 as base for security area codes, which should omit the problem for now.
Thank you for all your effort to investigate the problem.
Janusz

  • From: Mexico, Toluca
  • Registered: 05/23/2010
  • Posts: 14

Re: access levels to new modules / plugins

I continue reviewing the code and I found this.

You are moving all the permissions specified by plug-ins or modules (specified in $security_sections and $security_areas) by adding a counter and the extension id so it will not interfere with the normal permissions.

When those files are included the variables $security_areas and $security_sections are not the global variables, they are local variables that you use as basis to the new codes.

$page_security = 'SA_MEXCFD_SETUP';
include_once($path_to_root . "/includes/session.inc");
add_access_extensions();

If a module or plug-in is using different codes to security the function add_access_extensions() must be called in order to add the permissions described on 'acc_file'

This is solved, I hope this information works for other people

  • Registered: 12/25/2007
  • Posts: 2,447

Re: access levels to new modules / plugins

Yes, of course you are right. add_access_extensions() have to be called inside extension files to have security areas maintained by core source code. This way module access areas does not interfere with core nor any other module security areas. Thanks for information that you have found a problem.

Janusz