Enforcing permissions

[Pierre M.]

Hello,

a friendly question to the DevTeam : in http://forum.cmsmadesimple.org/index.ph ... 210.0.html I have read somewhat : "Not giving users the xyz right will remove xyz feature from the menu" (beware I don't carbon-quote, I've modified the sentence). My question is : when launched does the xyz feature still check that the user is granted the right to execute it ? or put anotherway : does each "action" bloc of code enforce permissions at its begining or does it only rely on its menu/url to be reached ?

Pierre M.

[calguy1000]

The permissions checked on each request depend on the page or module action.

However, that said.... the admin theme needs to be processed on each request in order to build the menus, etc. so in there, there will be a great deal of permissions checks to test what features are available.

[Pierre M.]

It depends on xyz, sure. milage may vary among modules and features. Hmmm.

About the admin theme (alone) fireing up permissions checks : humm, If I understand correctly, it could mean that there may be ways, once logged in, to launch some xyz action code bloc which is not admin GUI linked without the required permissions ? Or is everything GUI linked ?

Behind all these questions what I have in mind is : permissions enforcement should be done both at the GUI level (show/hide xyz) and at the action level. Thinking loudly, maybe badly

Pierre

[calguy1000]

well, permissions are checked to determine what menus to display.

If you happen to know the URL to directly access a module action or a page... AND that page doesn't do an additional permission check, then yes.... there could be security issues.

Yes, you are correct, it has to be done both at the menu level and at the action level... and for the most part, we do that (Well, atleast Ted and I).

[Pierre M.]

Thank you very much for your response.

Have fun coding

Pierre M.