+- webERP Forum (http://www.weberp.org/forum)
+-- Forum: webERP Discussion (http://www.weberp.org/forum/forumdisplay.php?fid=1)
+--- Forum: Problems / Bugs? (http://www.weberp.org/forum/forumdisplay.php?fid=8)
+--- Thread: Page Security Levels (/showthread.php?tid=8362)
Page Security Levels - ALEXSHEN - 09-16-2019
Hi Tim,
I found a problem, I didn't know it is my-self setting problem or it is a system problem, I try to set this “Costupdate” Security Levels, but the Security Token always kept "10", can't update to others.
[attachment=986]
It's fixed or other reasons?
Alex
RE: Page Security Levels - TimSchofield - 09-16-2019
I will have to check when I have the code in front of me but I believe the cost update security token is hard coded in places. I don't like the hard coding of security tokens but that code isn't mine.
If it is hard coded I am not sure why it is an option here. Will come back to you for sure when I have the code in front of me.
Tim
RE: Page Security Levels - ALEXSHEN - 09-16-2019
Hi Tim
Ok, I am very grateful for your help.
Alex
RE: Page Security Levels - TimSchofield - 09-17-2019
Ok, If you comment out line 18 of PageSecurity.php (it seems an utterly pointless line), changing it from
$ScriptName = mb_substr($ScriptName, 0, mb_strlen($ScriptName)-4).'.php';
to
//$ScriptName = mb_substr($ScriptName, 0, mb_strlen($ScriptName)-4).'.php';
then you can update that token. It appears to me having looked at the code that this is ok, and that it *should* work fine. That said I didn't write that code so test carefully first.
Tim
=======
There was a very obvious typo in PageSecurity.php that would have been avoided if developers did what I have asked them to do for years, and that is to set error_reporting to -1 while testing code.
I have fixed it and submitted a pull request.
Tim
RE: Page Security Levels - ALEXSHEN - 09-17-2019
Thanks Tim,
Yes, this is useful, I have changed the COSTUPDATE Security token.
However, I feel that sometimes in order to avoid misuse, may can add a protection function on this page, "Require password confirmation before making any changes," which is safer.
Thanks again
Alex