[checkout] order page user permissions

photosinaflash

Joined: 2008-11-23
Posts: 37

Posted: Tue, 2010-05-11 05:33

Hi there,

Using checkout 0.4.3 and checkoutemail 0.4.0

I'm looking for a way (if possible) to create a new user called "orders" and this user can login and view the photo orders but they can't add items or edit albums or anything like that. They can only view the orders and edit the orders, change the status of the orders, etc.

Is this possible?

I'm looking for a way so someone who is processing orders can only have the permissions to access the Checkout Orders page, nothing else.

Thanks

alecmyers

Joined: 2006-08-01
Posts: 4342

Posted: Tue, 2010-05-11 09:46

Background:

All the admin pages work on a view/subview structure. The View is class CoreAdminView in file modules/core/AdminCore.inc - which has a test for user's admin status:

	$ret = GalleryCoreApi::assertUserIsSiteAdministrator();
	if ($ret) {
	    return array($ret, null);
	}

at line 215 (G2.3) and then the checkout module's sub-views repeat the test for each subview eg. modules/checkout/AdminOrder.inc line 156.

The corresponding controllers (same files, earlier in the code) have the same test for admin status.

You can fake a url directly to the subview (eg: ...main.php?g2_view=checkout.AdminTransactions to bring up the order list as a main view (notice no admin options down the left side of the page) in which case only the subView's status test will run. So if you change that test to a test for the membership of an "orders management" group instead then any member of that group can see that page. However the links to the individual orders will still refer to the main-view/sub-view structure as normal which will remain inaccessible to all but admins even if you change the corresponding AdminOrder sub-view test, because the main view still tests for admin status.

Maybe you could change the main view's test to effectively {admin OR member of the order management group} but check to see if that gives unintended access to other admin pages.

Remember also you'll have to change the corresponding tests in the relevant controllers (Views show you stuff, Controllers do stuff, then revert to a View to show you the results).

Overall I would say it's possible if you get yourself a decent understanding of the view/controller structure of G2 and how to test for membership of given groups etc.

photosinaflash Joined: 2008-11-23 Posts: 37	Posted: Tue, 2010-05-11 05:33
	Hi there, Using checkout 0.4.3 and checkoutemail 0.4.0 I'm looking for a way (if possible) to create a new user called "orders" and this user can login and view the photo orders but they can't add items or edit albums or anything like that. They can only view the orders and edit the orders, change the status of the orders, etc. Is this possible? I'm looking for a way so someone who is processing orders can only have the permissions to access the Checkout Orders page, nothing else. Thanks
	XUser login Username: * Password: * Create new account Request new password
alecmyers Joined: 2006-08-01 Posts: 4342	Posted: Tue, 2010-05-11 09:46
	Background: All the admin pages work on a view/subview structure. The View is class CoreAdminView in file modules/core/AdminCore.inc - which has a test for user's admin status: $ret = GalleryCoreApi::assertUserIsSiteAdministrator(); if ($ret) { return array($ret, null); } at line 215 (G2.3) and then the checkout module's sub-views repeat the test for each subview eg. modules/checkout/AdminOrder.inc line 156. The corresponding controllers (same files, earlier in the code) have the same test for admin status. You can fake a url directly to the subview (eg: ...main.php?g2_view=checkout.AdminTransactions to bring up the order list as a main view (notice no admin options down the left side of the page) in which case only the subView's status test will run. So if you change that test to a test for the membership of an "orders management" group instead then any member of that group can see that page. However the links to the individual orders will still refer to the main-view/sub-view structure as normal which will remain inaccessible to all but admins even if you change the corresponding AdminOrder sub-view test, because the main view still tests for admin status. Maybe you could change the main view's test to effectively {admin OR member of the order management group} but check to see if that gives unintended access to other admin pages. Remember also you'll have to change the corresponding tests in the relevant controllers (Views show you stuff, Controllers do stuff, then revert to a View to show you the results). Overall I would say it's possible if you get yourself a decent understanding of the view/controller structure of G2 and how to test for membership of given groups etc.

[checkout] order page user permissions

XUser login