table access

6 posts by 3 authors in: Forums > CMS Builder
Last Post: October 12, 2010   (RSS)

By rentittoday - October 6, 2010 - edited: October 6, 2010

Hey Guys,

We have successfully switched our categories to multi-category and use the membership plugin which gave us our coveted security features, such as author, editor, etc.

We have setup the code in our sign up form to allow new users an author status to all sections by default. For now, we go into CMS and setup the appropriate authorization status "by section" once they have signed up.

This system works fine except for when it comes to the accounts section.

When a new user signs up, they can go and add a listing to any category but they cannot see any of the other listings from other users. Which is my understanding of how the author status works. However, they can view ALL of the other users in the accounts section. They cannot edit or delete, thankfully, but we still, for privacy reasons, cannot have this. The accounts table is the only table we have this issue with.

I tried editing our sign up form code, giving the accounts table an access level of "0" which I believe is no access but it still does not work. How can we prevent users from seeing the users table?

Thanks!

Oh, I forgot, once we change the access level to "by section" manually in CMS, this is no longer an issue because there in not an option to give access to the account table. And the new user can no longer see the account table on the menu bar. Which further adds to my confusion of why they would be able to see it when they first sign up. [:/]
Jason Glass

Re: [rentittoday] table access

By Jason - October 6, 2010

Hi,

If you're changing their access level by editing the User Accounts section, you just uncheck the User Accounts section. You can also set it through SQL. You set the accessLevel to 0 where for that userNum where table = accounts. Even if their set to author for all sections, you can still add a record in the accesslist table that sets accounts to 0.

NOTE: Always make a backup before executing SQL commands directly and only do so if you're comfortable with it.

Hope this helps. Let me know if you run into any other issues.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] table access

I know that we can change it manually in the CMS admin panels.
We are able to do that right now and do so when one of our employees sign a new client up.
But the issue is when people find our site, through a search etc, pay to use our service, and are directed to the sign-up page on their own. The form on that page then adds them as a user. And they have access to the user accounts info.
We are alerted by email when someone signs up, and then we go and set their permissions. But we cannot have someone "on-call, 24-7" to watch for emails and setup the permissions manually, as soon as they sign up.

We use this code in our sign-up form to set their access levels right now. And it seems to work fine for all tables, EXCEPT for the accounts table.
// create accesslist entry
// replace 'news' with the table you want the user to access
// replace '6' with the access level they should have: 0=none, 6=writer, 9=manager
// replace '1' with the max listings they are allowed
mysql_query("INSERT INTO `{$TABLE_PREFIX}_accesslist`
(userNum, tableName, accessLevel, maxRecords, randomSaveId)
VALUES ($userNum, 'all', '6', NULL, '1234567890')")
or die("MySQL Error Creating Access List:<br/>\n". htmlspecialchars(mysql_error()) . "\n");


I added this line in the appropriate place to try to single out the accounts table to ensure that users have no access to it, but it did not work.

,
($userNum, 'accounts', '0', 1, '1234567890')


So,I guess it would work if No One ever have access to the accounts table other than admin users. I know that we can remove it from the menu bar but someone could still get to it by entering it in the url. And we would still like to keep it on the menu bar for admin users. I also don't understand why the accounts table is different from all the other tables. Can you explain this as well?

Thanks!
Jason Glass

Re: [rentittoday] table access

By Chris - October 6, 2010

Hi rentittoday,

Great to hear you got everything switched over to Multi Records! :)

I think the simplest solution is to go to Admin > Section Editor > User Accounts, click on the Advanced tab, check the following option and Save:

Disable View [x] Don't allow viewing of records through "view" menu

Does that fix the problem?

I hope this helps! Please let me know if you have any questions.
All the best,
Chris

Re: [chris] table access

Yes we are definitely excited about the multi-record switch. We love the new functionality except for this issue with the accounts. :)

That box is already checked. I unchecked, rechecked and saved but no difference. :/

Any other ways that would allow us to block this category from anyone but an admin?

Thanks!
Jason Glass