vicidial.org

[udfxrookie]

We have Vici 5.0.3 with the latest SVN update.
VERSION: 2.8-425a
BUILD: 140206-1357
Version: 2.8b0.5
SVN Version: 2070
DB Schema Version: 1368
Issue is an admin was created solely to see the RTD and view reports.
When this admin logs in it clicks modify user and gets a page stating you do not have permission.... perfect.
Then I click Admin and see everything, click Carriers and see everything, click a specific carrier... I see all the details and CAN modify
Even though in this users profile Modify Carriers : 0

Another bug we've found is if you don't give permission to modify something, i.e. a user, the admin can click modify user and make changes... click submit and get a page stating you do not have permission to make changes.... however it MADE the changes.

[mflorell]

Please post to the Issue Tracker with full step-by-step instructions on how you are able to do this. We have to be able to duplicate an issue to fix it.

[udfxrookie]

Reported, with more details:

If user has AGC Admin Access:1 this seems to over ride all other options.
I.e., User level 8, AGC Admin Access :1, EVERYTHING else: 0,
This user will still have access to every option such as servers, carriers, phones and the ability to edit them.

[williamconley]

While I can't confirm this in its entirety, I can say that the user will have access to view many modules they should not (for instance I can see the list of Lists, Campaigns, Scripts) but I cannot edit any of these. I can see Carriers and even attempt to edit the details ... but trying to submit fails (you do not have permission to view this page, and the details were not in fact altered). However, this allows deeper access than I should have ... except that there is no "view" carriers permission checkbox, only "modify". And since I cannot modify .. technically this is ok. In fact, in all cases I've checked I cannot find an actual violation. There is no "View" permission for scripts ... so I can view scripts and that is not a violation (but I cannot modify them because that is "0").

Conclusion: Turn off AGC Admin if you don't want someone to see these things? Or pay to have the rest of the "View" permissions added to limit this access.

And remember to clear cookies and verify you have completely logged out before testing ... (I switch to a different browser type with private browsing to simulate a different user).

And verify (specifically) at least on actual violation: for instance "Modify Scripts" is NOT checked but this user can modify a script ... (when I tested ... the user could SEE but not Modify scripts ...)

[mflorell]

Not a bug, AGC Admin Access:1 is how you used to have access to ALL of the Admin section stuff, so it had to be left in for backward compatibility. If you don't want to use that, then set it to 0.