Hi there,

I love the way DotProject works and the flexibility. However, one problem I am having is producing a public login. What I want is to setup a guest login where they can view certain tasks.

This is easy to set up, however, the problem lies with the guests ability to change the user password from thier profile screen. As I could have several people accessing DotProject I need to keep a static password. How can I deny a cerain user or role permission to change their password or even possibly deny access to the profile page?

Thanks

Just a quick bump!!!

You'll have to change the user add edit interface not to include the password fields.

Pedro A.

Just a quick bump!!!To expand on PedroA's reply, I would lookup the user_id of the guest user. Then, within /modules/admin/addedituser.php, somewhere near the top, do a 'if ($user_id == x)" (where x represents the guest user's user_id) to do an access_denied redirect.

MOTE

Thanks for the replies guys, that certainly will help me shape DotProject just the way I need it to work.

The user id I am trying to disable edit rights (to both user admin and changing password) is id_2

In addedituser.php after if ($user_id == 0)
$canEdit = $canAuthor;

I assume I could add: if ($user_id == 2) to select a specific user and then on the next line I would need to enter the cannot edit variable, but im not sure what that would be.

From looking at the script and the documentation section herehttp://docs.dotproject.net/tiki-index.php?page=dotProject+Framework it looks like the following code denies access to the password and edit user parts of Dotproject:

// check permissions
if (!$canEdit && $user_id != $AppUI->user_id) {
$AppUI->redirect( "m=public&a=access_denied" );

Do I simple need to add the following code to deny edit permissions to user id_2?
if ($user_id == 2)
!$canEdit = !$canAuthor;

Do I simple need to add the following code to deny edit permissions to user id_2?
if ($user_id == 2)
!$canEdit = !$canAuthor;Fortunately, anything you break can easily be fixed using the same editor that you used to break it :) Let us know how it works out =or= you can wait for an educated person (like pedroA) to reply :)

MOTE

Lets study:

<?php /* ADMIN $Id: addedituser.php,v 1.47.2.1 2005/11/25 00:26:13 pedroix Exp $ */
//add or edit a system user

$user_id = isset($_GET['user_id']) ? $_GET['user_id'] : 0;

if ($user_id == 0)
$canEdit = $canAuthor;

if ($canEdit)
$canEdit = $perms->checkModuleItem('users', ($user_id ? 'edit' : 'add'), $user_id);

// check permissions
if (!$canEdit && $user_id != $AppUI->user_id) {
$AppUI->redirect( "m=public&a=access_denied" );
}


First $user_id is retrieved from the URL.
If the URL does not have the user_id parameter then we check if the user can add users, because that means we are adding a new user.

Now what you want to do is to deny to user 2 the right to change his account (and all others for that matter) when he is logged in the system.
So you'd change this:

if (!$canEdit && $user_id != $AppUI->user_id) {


to

if ((!$canEdit && $user_id != $AppUI->user_id) || ($AppUI->user_id == 2)) {

This would mean that the logged in user 2 wouldn't be able to edit any user account including is own.

The way dP is, it will grant every user the right to edit his own account regardless of having edit permission over the users module (that's what && $user_id != $AppUI->user_id means), so if you don't want that behavior has default to all users (a more generic solution than harcoding the users), you should remove that part of the code and deny to those users the edit right over that users module.
Keep in mind that this will prevent these users of changing their own users data as well as the passwords.

Pedro A.

Keep in mind that this will prevent these users of changing their own users data as well as the passwords.Pedro A.Thanks for bailing me out! :)

Firstly, thanks to both of you for your help, it is very much appreciated.

Now what you want to do is to deny to user 2 the right to change his account (and all others for that matter) when he is logged in the system.
So you'd change this:

if (!$canEdit && $user_id != $AppUI->user_id) {


to

if ((!$canEdit && $user_id != $AppUI->user_id) || ($AppUI->user_id == 2)) {

This would mean that the logged in user 2 wouldn't be able to edit any user account including is own.

Pedro A.

Thats precisely what I need to do, deny any edit ability to this user, to 'edit this user', 'edit preferences' and 'change password'.

Strangely I added if ((!$canEdit && $user_id != $AppUI->user_id) || ($AppUI->user_id == 2)) {
on line 12, overwriting the old script. However the user (id 2) can still edit his own preferences and password, although 'edit this user' is properly denied.

Any ideas what I did wrong or is there a permission in the user administration module that I havent set?

The only other option I can think of is denying access to 'user administration' and 'admin modules' for that user and then deleting the 'my info' from the menu near the 'logout' button. If this is a easier method, where would I find the 'my info' shortcut/url to delete from the dotproject pages?

Thanks

That file is exactly the one where you change the users data and also the password, so if you need to deny the edit of users preferences you will need to change the code also for that file and not only the addedituser.php file.

You see every addedit (whatever) file has a permission checking routine before a user can actually add or edit data.

So you must change every file you believe is sensitive.

Pedro A.

Hiya, yes indeed you are correct.

So on line 7 of viewuser.php I changed the line to read || ! $perms->checkModuleItem('users', 'view', $user_id) ) || ($AppUI->user_id == 2))

Now user 2 can click on the 'my info' link but it simply redirects to the 'access denied' page which is exactly what I needed.

Thanks for the detailed and quick replies :-D

...which is exactly what I needed. That PedroA REALLY knows his stuff! He's a real asset to the team!

MOTE

So I Want to make this!

But never solution work in my Unix!

I thought dotProject groups could be set, users assign groups, and groups by default, would not have certain privileges

Assign this feature in future versions?

My Post: http://forums.dotproject.net/showthread.php?t=7548

Changin code:


<?php /* ADMIN $Id: viewuser.php,v 1.39.4.7 2007/03/06 00:34:39 merlinyoda Exp $ */
if (!defined('DP_BASE_DIR')){
die('You should not access this file directly.');
}

GLOBAL $addPwT,$company_id, $dept_ids, $department, $min_view, $m, $a;
$user_id = isset( $_GET['user_id'] ) ? $_GET['user_id'] : 0;

if ($user_id != $AppUI->user_id
&& ( ! $perms->checkModuleItem('admin', 'view', $user_id)
|| ! $perms->checkModuleItem('users', 'view', $user_id) ) )
$AppUI->redirect('m=public&a=access_denied');



by code:


<?php /* ADMIN $Id: viewuser.php,v 1.39.4.7 2007/03/06 00:34:39 merlinyoda Exp $ */
if (!defined('DP_BASE_DIR')){
die('You should not access this file directly.');
}

GLOBAL $addPwT,$company_id, $dept_ids, $department, $min_view, $m, $a;
$user_id = isset( $_GET['user_id'] ) ? $_GET['user_id'] : 0;

if ($user_id != $AppUI->user_id
&& ( ! $perms->checkModuleItem('admin', 'view', $user_id)
|| ! $perms->checkModuleItem('users', 'view', $user_id) ) || ($AppUI->user_id == 2))
$AppUI->redirect('m=public&a=access_denied');