Fixing Issue with the Group Security Bug

Scriptcase 9 General
#1

All,
As we all know there is an issue with the SC security security, where it will only give permission on only one group.
You cannot add a user to multiple groups.
I have been working this issue all day, and I thought I had it fixed…
But for some reason, it is not working…
Can someone take a look at the login app and see what I may be missing?
I know the sql is generating the right dataset…

here is the sql I am using to get the results…

$sql = "SELECT 
	    app_name, 
		ifnull(max(priv_access), 'N') as priv_access,
		ifnull(max(priv_insert),'N') as priv_insert, 
		ifnull(max(priv_delete),'N') as priv_delete,
        ifnull(max(priv_update),'N') as priv_update, 
		ifnull(max(priv_export),'N') as priv_export, 
		ifnull(max(priv_print),'N') as priv_print
	      FROM news_sec_groups_apps
	      WHERE group_id IN
	          (SELECT
		       group_id
		   FROM
		       news_sec_users_groups 
		   WHERE
		       login = '". [usr_login] ."') group by app_name";

If I echo the sc_apl_conf the results say that the available ones are on, and the denied access are off…

I see there is a function being called but cant see why it would make this not work;
here is the code in the php section of the login program

return ($param == 'Y' ? 'on' : 'off');

to be honest I dont know what this is doing…

Come on Guys lets gets this issue fixed once and for all

kev

Possible error in Security groups_application
#2

Kev…

I believe the problem is that you (somebody) needs to decide the ‘stacking order’ of the results.

If I am in two groups A and B.

A has XML permission Y and B has XML permission N… should I have permission or not?

Some security ‘theory’ says I pick the first match for the resource I find in the list (yes or no).
Some says if any say yes, then I get Y.
Some says they need to be applied in a particular order (first A, then B)
Some say ‘least permission’… so if there are any N, pick N.
Some say ‘most permission’… so if there are any Y, pick Y.

There is really only one ‘answer’ yes or no, but how you get there ‘depends’.

Plus, the sample I looked at had some fields set of NULL, some to Y, some to N.
And the column is defined as TEXT, not just one character… so there are a whole lot of other possibilities.

Is NULL different from N?

Must the field be Y and anything else means N?

#3

I am trying to fix the bug within Scriptcase
I am not trying to determine their path, just trying to fix their logic

If you look at their code in the validation success
It doesn’t take into consideration multiple groups

If the permissions are Y in any of fields it turns the application on

I have put debug in all of the code and the apps should be off
When the menu comes up
All the menu applications are available

#4

I think this is the problem… I am not sure what the ‘right’ answer should be.

group_id app_name priv_access priv_insert priv_delete priv_update priv_export priv_print
1 app_change_pswd Y N N N N N
2 app_change_pswd N N N N N N

If the user is a member of group 1 and group 2

Should they have access to app_change_pswd or not? (and why?).
Their current logic says that if there is a Y in any column, then the application needs to be enabled (which makes sense… that is the only way they can get to the part of the application they have permission to).

A potential problem is that at least with MYSQL, without an ORDER BY clause, the DB is free to return the rows in any order it feels like it. So, one time might get group 2 first, then group 1… so you would end up with ‘Y’… other times it might return group 1, then group 2… so you would end up with ‘N’.

But I believe that their logic is right. If there is a Y in any column, then the user needs to be able to get at the app, and the app needs to show/hide buttons depending on which permissions were set.

#5

That is correct
That us why the code needs to select distinct records

$sql = “SELECT
app_name,
ifnull(max(priv_access), ‘N’) as priv_access,
ifnull(max(priv_insert),‘N’) as priv_insert,
ifnull(max(priv_delete),‘N’) as priv_delete,
ifnull(max(priv_update),‘N’) as priv_update,
ifnull(max(priv_export),‘N’) as priv_export,
ifnull(max(priv_print),‘N’) as priv_print
FROM news_sec_groups_apps
WHERE group_id IN
(SELECT
group_id
FROM
news_sec_users_groups
WHERE
login = '”. [usr_login] ."’) group by app_name";

This works
The menu is not for some reason not
displaying it as the code says to

#6

There has been a notice somewhere that the menu is not working with the security model in 7. I have a working model in 7, but I don’t know if my situation is comparable as I use my own security model. The most advanced generated model is very complicated to end-users and admins with the enormous amounts of checkboxes. I like to separate my users to ‘roles’ and apply security on those roles.

#7

Yea
This is all dealing with ver 6

#8

Well…
as Roseann Rosanadana said… Nevermind…
It works perfectly if you turn on security and password in the MYSETTINGS…

At least we can now add multiple groups to users with changing the sql in the login…

Kev

#9

what the hack is that…, do we have to fix that security as well, I’m getting this issue with the ver 7.

#10

Yea,
And your donations for my time and effort are welcome
:wink:

#11

I’m still have problem with multiple groups,
is there any easy sensible solution so, I can fix by myself.

please help us
thanks

#12

did you follow the instructions that i put in the fix in this post?
If so then what is the problem?

Kevin

#13

yes Kevin, after post this threat, I follow the instruction, sound looks its working, but…
I don’t feel satisfaction, might it will go wrong after… I make live application on production environment.

what do you think about… please advice…
but its working now…

#14

As long as you don’t recreate the security module
It will not revert
The coding will stay

Kevin

#15

Thanks Kevin,

its working fine now… I will keep your advice for future updates.

thanks again.

#16

After so many years, it seems that the error persists, at least in version 9.7.00

Some time ago, I used maybe a 9.4 version (I don’t remember it, but it was definitely version 9) and I didn’t have these errors in the “applications per group” module.

I don’t know what has changed, and although I understand @Kdriscoll solution, I can’t adapt it in SC. Is it necessary to execute it in an Event of the application “sec_form_sec_group_apps”?