Quote from noyzen on March 14, 2022, 12:41 pm

Hello again, Its me! :D

I solved one part (forcing group in register) myself:

In folder mysite/cms/addons/Users/bootstrap.php i have changed this code:

<?php
if (COCKPIT_API_REQUEST) {
  $app->on('cockpit.accounts.save', function (&$data, $update) {
    // Any additional logic you may require (check if request is from the api, etc..)
    if (in_array($data['group'], ['admin', 'moderator'])) {
      unset($data['group']);
    }
  });
}
?>

Into this:

<?php
if (COCKPIT_API_REQUEST) {
  $app->on('cockpit.accounts.save', function (&$data, $update) {
    // Any additional logic you may require (check if request is from the api, etc..)
      $data['group'] = 'normal';
  });
}
?>

And now all users are forced to the group "normal".

I will try to find solution for other problems also...

Quote from luishp on March 14, 2022, 12:58 pm

@noyzen it's not possible to add new users to "admin" group using neoCmsAddUser or neoCmsUpdateUser.
neoCms has been already modified to block that possibility.

Best regards.

Quote from noyzen on March 14, 2022, 3:47 pm

Yes @luishp i saw that extra code you add, but when i try "Admin" they can do that. Or when i try "Moderator" and...

(With a Capital letter), in your code group names are Case sensitive so if i use "Admin" i can add myself into ADMIN group.

Please test it yourself :)

Quote from luishp on March 15, 2022, 7:56 am

Hi @noyzen, please try this instead:

<?php
if (COCKPIT_API_REQUEST) {
  $app->on('cockpit.accounts.save', function (&$data, $update) {
    // Any additional logic you may require (check if request is from the api, etc..)
    if (in_array(strtolower($data['group']), ['admin', 'moderator'])) {
      unset($data['group']);
    }
  });
}
?>

Let me know if it works.
Thank you!

Quote from noyzen on March 15, 2022, 8:01 am

Hi Luis again,

I had tried this before, not working...

I wanted to do exactly same trick to fix code and prevent case sensitive group names but I don't know php much. So i found solution on google exactly like yours and Its not working.

I mean group names with Upper Case still can be made.

Quote from luishp on March 15, 2022, 12:32 pm

@noyzen Thank you for the information.
I will have to look into this more carefully. It seems important...
Regards.

 

Quote from noyzen on March 15, 2022, 1:03 pm

Thank you very much.

For now and for my case that forcing a group which i mentioned above works, but perhaps we need a standard way to customize access to desired groups. Something like what you are trying to fix...

Also If you found a way to prevent username and email change serverside let me know please.

If I found any other problems or solutions I will share too of course. Lets make neoCms even better! ;)

 

Quote from luishp on March 15, 2022, 1:46 pm

@noyzen I have updated the plugin to force group names to lowercase before sending them to the server in both neoCmsAddUser and neoCmsUpdateUser. I know this is not a real fix but will help to avoid easy hacking while we find a solution server side. I have also fixed some minor bugs when using neoCmsAdvancedSearchCollection. Please replace the plugin with the attached one.

Thanks again.

Quote from noyzen on March 15, 2022, 3:02 pm

Good job, I have some suggestion for plugin too but serverside and CMS Itself is more important so i focus on that for now.

If I finished any sample apps which Im working on right now I will show you.

 

Thank you!

Quote from luishp on April 2, 2022, 1:04 pm

@noyzen I have just discovered this:

1. I create a new group with a desired name with admin rights
2. I move the my admin account to that new group
3. I create a group with name "admin" with no rights at all

This way I can prevent anyone being able to register as an admin.

Regards.

Quote from noyzen on April 2, 2022, 4:45 pm

Thanks Luis i will check that.

Regards