<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:9pt;font-family:Sans Serif">
<p>On Wednesday 05 March 2008, Bruno Remy wrote:</p>
<p>> Hello,</p>
<p>></p>
<p>> When a single user (not an admin) logs into tha "admin" page</p>
<p>> (http://auth.zapquebec.org/admin/index.php)</p>
<p>> he is not supposed to see this frame :</p>
<p></p>
<p>Actually, the bug it the other way around ;) Everyone is supposed to be able to add content to the library (hopefully artistic), and then ask to put it up on hotspots. It's what wifidog has been designed for!</p>
<p></p>
<p>Save for a few bugs that occasionally broke that feature, it has been in wifidog since almost the begining!</p>
<p></p>
<p>But right now, because permission system isn't fully implemented yet (specifically default system roles aren't implemented yet) so there is no "validated user" role that we can tie the SERVER_PERM_EDIT_CONTENT_LIBRARY to, So right now only users that have been assigned a role that includes SERVER_PERM_EDIT_CONTENT_LIBRARY see that menu option (and indeed, my zap québec user does NOT see it), but don't expect that to continue. Working on this specific permission as a proof of concept is how I noticed that I needed to add default roled before I continue, but I didn't realize that I broke something I consider a fundamental feature.</p>
<p></p>
<p>> It's a critical security failure, because he can acces to the "reusable</p>
<p>> content library" and not only in "Read-only" but he can modify or</p>
<p>> delete items !</p>
<p></p>
<p>Only for items the user owns (or has been granted access to)</p>
<p></p>
<p>> This feature has to be disabled.</p>
<p></p>
<p>In my opinion, this feature has to be restored!</p>
<p></p>
<p>There has been repeated request for people to help finish the permission system and add access control to the different areas of wifidog. That will make this (and a lot more) configurable according to every groups choices. I spent a few hundred hours creating the API, documenting it really well, and implementing most of it, as well as using in in several places already (as examples). Unfortunately, so far I dind't get any help.</p>
<p></p>
<p></p>
<p>-- </p>
<p>Benoit Grégoire</p>
<p>Technologies Coeus inc.</p>
</body></html>