Hello Everyone,
My security module is not working!! And the site has gone live. At testing it seemed to work, but observe the following:
When I test it on live site, suppose mysite.com/myapp:
I get the proper menu displayed, based on the group of the user.
HOWEVER, ANY PERSON CAN JUST TYPE IN THE ADDRESS BAR TO ACCESS APPS NOT LISTED IN THE MENU, EVEN THOUGH IN THE Security > Group Applications I have not given permission to the group in question.
Please review… Need urgent help.
I have some codes in app_Login as follows:
//Codes auto-generated by scriptcase
$sql = "SELECT
app_name,
priv_access,
priv_insert,
priv_delete,
priv_update,
priv_export,
priv_print
FROM sec_groups_apps
WHERE group_id IN
(SELECT
group_id
FROM
sec_users_groups
WHERE
login = '". [usr_login] ."')";
sc_select(rs, $sql);
if ({rs} !== false)
{
while (!$rs->EOF)
{
if( $rs->fields[1] == 'Y')
{
sc_apl_status($rs->fields[0], 'on');
}
else
{
sc_apl_status($rs->fields[0], 'off');
}
sc_apl_conf($rs->fields[0], 'insert', has_priv($rs->fields[2]));
sc_apl_conf($rs->fields[0], 'delete', has_priv($rs->fields[3]));
sc_apl_conf($rs->fields[0], 'update', has_priv($rs->fields[4]));
//export
$export_permission = 'btn_display_'. has_priv($rs->fields[5]);
sc_apl_conf($rs->fields[0], $export_permission, 'xls');
sc_apl_conf($rs->fields[0], $export_permission, 'word');
sc_apl_conf($rs->fields[0], $export_permission, 'pdf');
sc_apl_conf($rs->fields[0], $export_permission, 'xml');
sc_apl_conf($rs->fields[0], $export_permission, 'csv');
sc_apl_conf($rs->fields[0], $export_permission, 'rtf');
//export
$export_permission = 'btn_display_'. has_priv($rs->fields[6]);
sc_apl_conf($rs->fields[0], $export_permission, 'print');
$rs->MoveNext();
}
$rs->Close();
if(sc_logged({login})):
sc_log_add('login', {lang_login_ok});
sc_user_logout('logged_user', 'logout', 'app_Login');
/* MY LINES START HERE */
$currentuser = [usr_login];
$check_sql = "SELECT group_id FROM sec_users_groups WHERE login = " . "'" . $currentuser . "'";
sc_lookup(rs, $check_sql);
$groupid = {rs[0][0]};
$check_sql = "SELECT description FROM sec_groups WHERE group_id = " . "'" . $groupid . "'";
sc_lookup(rs, $check_sql);
$group = {rs[0][0]};
switch ($group)
{
case "Accountant":
sc_redir('MenuAccountant');
break;
case "DataEntry":
sc_redir('MenuDataEntry');
break;
case "Null":
sc_redir('MenuNull');
break;
case "Sales":
sc_redir('MenuSales');
break;
case "Supervisor":
sc_redir('MenuSupervisor');
break;
case "Auditor":
sc_redir('MenuAuditor');
break;
case "Administrator":
sc_redir('Menu');
break;
}
/* MY LINES ENDS HERE */
//sc_redir('Menu'); COMMENTING DONE, AS IT IS REPLACED BY MY CODES
endif;
}