UnAuthorized !!!!!!

michael · May 7, 2020, 7:57pm

Hello Everyone,

I have a problem with the security module found in the OnValidateSuccess:

//Codes auto-generated by scriptcase
$sql = "SELECT 
        app_name,
        priv_access,
        priv_insert,
        priv_delete,
        priv_update,
        priv_export,
        priv_print
          FROM sec_groups_apps
          WHERE group_id IN
              (SELECT
               group_id
           FROM
               sec_users_groups 
           WHERE
               login = '". [usr_login] ."')";
        
    
sc_select(rs, $sql);
if ({rs} !== false)
{
    while (!$rs->EOF)
    {
        if( $rs->fields[1] == 'Y')
        {
            sc_apl_status($rs->fields[0], 'on');
        }
        else
        {
            sc_apl_status($rs->fields[0], 'off');
        }

        sc_apl_conf($rs->fields[0], 'insert', has_priv($rs->fields[2]));
        sc_apl_conf($rs->fields[0], 'delete', has_priv($rs->fields[3]));
        sc_apl_conf($rs->fields[0], 'update', has_priv($rs->fields[4]));
        //export
        $export_permission = 'btn_display_'. has_priv($rs->fields[5]);
        sc_apl_conf($rs->fields[0], $export_permission, 'xls');
        sc_apl_conf($rs->fields[0], $export_permission, 'word');
        sc_apl_conf($rs->fields[0], $export_permission, 'pdf');
        sc_apl_conf($rs->fields[0], $export_permission, 'xml');
        sc_apl_conf($rs->fields[0], $export_permission, 'csv');
        sc_apl_conf($rs->fields[0], $export_permission, 'rtf');
        //export
        
        $export_permission = 'btn_display_'. has_priv($rs->fields[6]);
        sc_apl_conf($rs->fields[0], $export_permission, 'print');

        $rs->MoveNext();    
    }
    $rs->Close();
    if(sc_logged({login})):
        sc_log_add('login', {lang_login_ok});
        sc_user_logout('logged_user', 'logout', 'app_Login');
        
        
        
    
/* MY LINES START HERE */
    $currentuser = [usr_login];

$check_sql = "SELECT group_id FROM sec_users_groups WHERE login = " . "'" . $currentuser . "'";
sc_lookup(rs, $check_sql);

$groupid = {rs[0][0]};
    
$check_sql = "SELECT description FROM sec_groups WHERE group_id = " . "'" . $groupid . "'";
sc_lookup(rs, $check_sql);

$group = {rs[0][0]};

switch ($group)
{
case "Accountant":
      sc_redir('MenuAccountant');
    break;
    
case "DataEntry":
      sc_redir('MenuDataEntry');
    break;  
    
case "Null":
      sc_redir('MenuNull');
    break;
    
case "Sales":
      sc_redir('MenuSales');
    break;
    
case "Supervisor":
      sc_redir('MenuSupervisor');
    break;
    
case "Auditor":
      sc_redir('MenuAuditor');
    break;
    
case "Administrator":
      sc_redir('Menu');
    break;

}
/* MY LINES ENDS HERE */
    
            //sc_redir('Menu');    COMMENTING DONE, AS IT IS REPLACED BY MY CODES
    endif;
}

Now, a user is given Access rights to ‘MenuSales’, but not ‘Menu’. The user always get Unauthorised, and sometimes after admin log in and log out, then ask user to login again, then it works.

Sometimes, it works as expected, sometimes does not.

Is the above code OK?

Thanks for your replies.

Michael.

aducom · May 7, 2020, 8:42pm

The best way is to unset the use security checkbox on the primary loginpage and (if you use that) the menu around the login page. There’s no need to use the security here.