Thanks for the report. Note however than there's an intrinsec flaw of any such PHP/Mysql product: if you can have some code running, you have full access to the database, therefore you have access to all users' data. Enforcing a more restrictive model would imply relying on the database security system (including passwords), which, in the end, would be a nightmare. We'll study your report carefully and do whatever we can to strenghten the framework.
greg -- You received this bug notification because you are a member of PHPDevShell, which is subscribed to PHPDevShell. https://bugs.launchpad.net/bugs/1117723 Title: USER_getGroupsQuery and USER_getRolesQuery give back very wrong results in some cases Status in Open Source PHP RAD Framework with UI.: Confirmed Bug description: Both methods are written without really taking into account that they might be called to get informations about another user, not the logged in one. PHPDS->USER_getRolesQuery() checks $this->user->mergeRoles and abandons further database checks if that field is not empty. It also writes informations to $this->user->mergeRoles, so the results of the first user checked by this query will be the only result given back by it in future calls. And I'm pretty sure $this->user->mergeRoles should return only current users roles. PHPDS->USER_getGroupsQuery() does exactly the same with $this->user->mergeGroups, and further more it gives back the main group more than once (this is because $group_string will contain the main group after checking it for childs. $group_main shouln't be merged with $group_string after this). Also, $group_array is an array resonse from a query. It should be extended with $group_array[] = array('user_group_id' => $group_main), not $group_array[$group_main] = array('user_group_id' => $group_main) To test this just run $this->userGetRoles($userid) or $this->userGetGroups($userid) for 2 different users. To manage notifications about this bug go to: https://bugs.launchpad.net/phpdevshell/+bug/1117723/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~phpdevshell Post to : [email protected] Unsubscribe : https://launchpad.net/~phpdevshell More help : https://help.launchpad.net/ListHelp
