Page Security Levels

[ALEXSHEN]

Hi Tim,

I found a problem, I didn't know it is my-self setting problem or it is a system problem, I try to set this “Costupdate” Security Levels, but the Security Token always kept "10", can't update to others.
   
It's fixed or other reasons?

Alex

[falkoner]

I will have to check when I have the code in front of me but I believe the cost update security token is hard coded in places. I don't like the hard coding of security tokens but that code isn't mine.
If it is hard coded I am not sure why it is an option here. Will come back to you for sure when I have the code in front of me.

Tim

[ALEXSHEN]

Hi Tim

Ok, I am very grateful for your help.

Alex

[falkoner]

Ok, If you comment out line 18 of PageSecurity.php (it seems an utterly pointless line), changing it from

$ScriptName = mb_substr($ScriptName, 0, mb_strlen($ScriptName)-4).'.php';
to
//$ScriptName = mb_substr($ScriptName, 0, mb_strlen($ScriptName)-4).'.php';

then you can update that token. It appears to me having looked at the code that this is ok, and that it *should* work fine. That said I didn't write that code so test carefully first.

Tim

=======

There was a very obvious typo in PageSecurity.php that would have been avoided if developers did what I have asked them to do for years, and that is to set error_reporting to -1 while testing code.

I have fixed it and submitted a pull request.

Tim

[ALEXSHEN]

Thanks Tim,

Yes, this is useful, I have changed the COSTUPDATE Security token.

However, I feel that sometimes in order to avoid misuse, may can add a protection function on this page, "Require password confirmation before making any changes," which is safer.

Thanks again

Alex