Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
user with minimal permissions unable to logout SOLVED
10-15-2018, 01:39 PM, (This post was last modified: 10-17-2018, 04:54 AM by dalescott.)
#1
user with minimal permissions unable to logout SOLVED
Hi all, I created an "auditor" user and took away all the privileges that I thought would give them the ability to change something, I wanted the user to have "view only" ability. However, clicking Logout when logged in as this user only causes the page to jump as if the main menu sales had been selected.

Edit. the code is 17 commits behind webERP-team:master on GitHub.

The logout behavior seems completely repeatable switching from the admin user, with no trouble logging out, to the "auditor" user, who cannot logout. I first thought simply closing the browser tab and re-opening it would force a new login, but it seems not the case now. I just re-opened a tab in Edge and browsed to my weberp site and the Main Sales screen opened without having to Login.

This "might" have started in the last year as I thought I would have noticed this when I created the user, around a year ago. Does this seem reasonable?

The "auditor" user:

https://i.imgur.com/yAqKoG4.png

The access permissions for the Auditor security role:

https://i.imgur.com/7aul6um.png


Cheers,
Dale
http://www.dalescott.net
Reply
10-15-2018, 04:51 PM,
#2
RE: user with minimal permissions unable to logout
Hi Dale,

I think you will find that the Logout.php script no longer has permissions to run. Looking at the default security settings it requires token 1 which you have not allocated to that user.

To rectify this either add security token 1 to the Auditor role, or change the page security on Logout.php to security token 0 (zero). The latter is the better solution for me.

Thanks
Tim
Reply
10-17-2018, 04:54 AM,
#3
RE: user with minimal permissions unable to logout
Thanks Tim. I added security token 1 to the Auditor role and found the auditor user could log out correctly.

I agree changing the page security for Logout.php is the more desirable solution, one should be able to logout regardless of one's access permissions.
http://www.dalescott.net
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)