MintJoomlaMintJoomla

Action - Change user group not work well

Question Question | Closed Closed | Emerald 9 | Hits: 1154 | Comments: 11 | Bookmarked: 1 | Followers: 9

fdesanto VIP
Total posts: 34
17 Nov 2015 15:57

Hi, I have a problem with "Action - Change user group", this plugin add/remove user from Joomla Usergroup but do not update session, so function like JFactory::getUser()->getAuthorisedViewLevels() return previous value. User need to login/logout to apply ACL based on new usergroups.

Last Modified: 26 Nov 2015

Comments have been disabled for this article and works only in read only mode.
Quote

Sergey
Total posts: 13,748
24 Nov 2015 14:30

This is strange. I am using Joomla helper JUserHelper::addUserToGroup(). SO I am not adding this is core Joomla method and it used to work before.

Quote

fdesanto VIP
Total posts: 34
24 Nov 2015 15:20

Hi, this function works to add users to usergroup, but not refresh session.

Try this:

  1. Create article with "Special" ACL

  2. Now create subscription that add user to group "Author"

  3. If user get this subscription, he will be added to author usergroup but he can't access to Special Article

Quote

fdesanto VIP
Total posts: 34
24 Nov 2015 19:45

sorry to make this test use usergroup like "Manager" or "Administrator"

------------ IGNORE THIS MESSAGE, IN JOOMLA DEFAULT INSTALLATION "AUTHOR" ALREDY HAVE "SPECIAL" ACL ------------

Quote

pepperstreet VIP
Total posts: 3,837
25 Nov 2015 00:37

fdesanto User need to login/logout to apply ACL based on new usergroups.

This is the way Joomla works.
Frankly speaking, I don't know of any other extension that modifies/updates the session data.
(Although, this is technically possible)

Personally, I don't see a problem with login/out procedure.
Session lifetime is limited, if you are concerned about abuse.
IMHO, it is not likely that a user tries to keep his session "alive" for ever.

Quote

fdesanto VIP
Total posts: 34
25 Nov 2015 08:50

Hi pepperstreet and Sergey, this is not a problem with logout/login

User need to do logout/login to update his ACL.

I have tried also on a Joomla fresh install.

Try this:

  1. Go to site http://dev06.newdigilab.com/joomla/ (Joomla fresh installation, only Emerald installed )

  2. Try to go on menu item "Special Article" -> you have message "You are not authorised to view this resource." (this is normal, guest not have Special ACL)

  3. Register an accout (no activation required)

  4. Make login with your account

  5. Try to go on menu item "Special Article" -> you have message "You are not authorised to view this resource." (this is normal, user not have Special ACL)

  6. go to menu "Plan" and buy plan "Become Author", it's free.

  7. This plan add you to "Author" Usergroup

  8. Try to go on menu item "Special Article" -> you have message "You are not authorised to view this resource." (this is bad, Now you should access to this article)

  9. Make logout/login

  10. Now step 8 works!!

After logout/login you will see also "Emerald" menu item, to check my simple plan configuration.

Quote

jimie VIP
Total posts: 531
25 Nov 2015 13:47

Hello

Try this and see if it helps on your issue:

Open this file:

/libraries/joomla/user/user.php

find:


      if (empty($this->_authLevels))
      {
         $this->_authLevels = JAccess::getAuthorisedViewLevels($this->id);
      }

replace with:


      if (empty($this->_authLevels) || $this->_authLevels != JAccess::getAuthorisedViewLevels($this->id))
      {
         $this->_authLevels = JAccess::getAuthorisedViewLevels($this->id);
      }

rgds

Quote

fdesanto VIP
Total posts: 34
25 Nov 2015 13:56

This is the way Joomla works.

Yes but not the way for a subscription component.

All components that change usergroups need to refresh session.

For a subscription component this is critical, if user have "remember me" parameter, he will have privileges for lifetime after expire subs (if not make logout), this is very dangerous!!

If customer buy subscription why he need to do logout/login?

The solution is simple, I sent modification via skype to Sergey. Now I'm waiting (8 days) some response from Sergey to know if he will fix this serious bug or not, in order to know if I can update with future release of this plugin.

I don't know of any other extension that modifies/updates the session data

All subscriptions component (Payplans,CBSubs,OS Membership,RSMembership), profiler component like (Easy Profile,Community Builder), E-commerce products (Virtuemart,Hikashop) and many others.

Quote

Sergey
Total posts: 13,748
25 Nov 2015 14:22

I have fixed it. I have found a way. JUser class has method.

$user = JFactory::getUser();
$user->clearAccessRights();

After that $this->_authLevels reset to NULL.

Quote

Sergey
Total posts: 13,748
25 Nov 2015 14:25

I have uploaded v 9.12, please try.

Quote

fdesanto VIP
Total posts: 34
25 Nov 2015 14:54

This is a fantastic news!!

minor fix

I have 500 error "PHP Fatal error: Call to a member function clearAccessRights() on a non-object"

I have replaced at line 25 and at line 62 this: $this->user->clearAccessRights(); with this JFactory::getUser($subscription->user_id)->clearAccessRights();

Quote

Sergey
Total posts: 13,748
26 Nov 2015 07:04

fdesanto This is a fantastic news!!

minor fix

I have 500 error "PHP Fatal error: Call to a member function clearAccessRights() on a non-object"

I have replaced at line 25 and at line 62 this: $this->user->clearAccessRights(); with this JFactory::getUser($subscription->user_id)->clearAccessRights();

That is ok. Next update on Emerald it will be fixed. There is some thange in Emerald too. I forgot about that.

Powered by Cobalt

Login (copy)