Member Login

Freestyle Joomla Forums

Support Portal

Member Login   Register

Please login or register to post on the forum

Forum Index    Board Index    Last Post   

Abel Bartolome

Abel Bartolome

06 November 2017, 10:57

Why ?view=admin_support on URL is able to see all tickets

Hi,
I was finishing set up of Support Portal for a new client and then I realized that PUBLIC users are able to see all tickets and edit them with just the following URL

https://ynfinitienergy.com/soporte?view=admin_support

What's wrong with my configuration?

Should this option restricted just for Administrators on Permissions->Support Admins ?
What's the right security configuracion to avoid ?view=admin_support to be disabled by default and only enable for Administrators?
Thank you,
Link showing problem https://ynfinitienergy.com/soporte?view=admin_support
Joomla Version 3.8.1
Freestyle Version 2.6.4.2109
Harry Shaw

Harry Shaw

07 November 2017, 14:31

Re: Why ?view=admin_support on URL is able to see all tickets

Hello,

Could you please send us some screenshots of the current configuration that you are using? From that we may be able to spot the cause of this issue.

Thanks

Harry Shaw
Freestyle Joomla
Abel Bartolome

Abel Bartolome

07 November 2017, 15:05

I can see all tickets without login

Hi, 
If I add following to URL of the site I can see all tickets without login

?view=admin_support&tickets=1

Please see some screenshots about current configuration.

Administration menu is hidden, is able just for registered users, but if I add:
 ?view=admin_support&tickets=1 
to the URL I'm able to see all tickets. I can't delete or change anything on them but I can see everything.

I don't know who permit is managing permits in this part of the web. I can play with:
?view=main
?view=admin


Thank you,

Free-style-support-security-config-1.JPG

207.06 KB

Free-style-support-security-config-2.JPG

114.87 KB

Free-style-support-security-config-3.JPG

146.76 KB

Free-style-support-security-config-4.JPG

68.8 KB

Free-style-support-security-config-5.JPG

75.84 KB

Free-style-support-security-config-6.JPG

113.86 KB

Free-style-support-security-config-7.JPG

114.06 KB

Free-style-support-security-config-8.JPG

108.8 KB

Free-style-support-security-config-9.JPG

95.14 KB
Abel Bartolome

Abel Bartolome

07 November 2017, 15:13

Re: I can see all tickets without login

Hi,

Just to add that system has been designed to let any user to place a ticket, that means allow public access. ?view=admin_support&tickets=1   or other similar parameters like ?view=admin anyone can see all tickets.

Administrators Main Menu is working fine. You can see it only for Registered users as you can see on the screenshot but If I know full URL with ?view=admin  then I can have access I don't know what's wrong on my security configuration.

Thank you for your support,
Abel

Free-style-support-security-config-12.JPG

70.12 KB

Free-style-support-security-config-11.JPG

142.8 KB

Free-style-support-security-config-10.JPG

111.97 KB
Harry Shaw

Harry Shaw

08 November 2017, 13:50

Re: Why ?view=admin_support on URL is able to see all tickets

Hello,

Thank you for the added information, would it also be possible to have access to your site so we can take a look ourselves and try to find the cause of this issue?

Thanks

Harry Shaw
Freestyle Joomla
Abel Bartolome

Abel Bartolome

08 November 2017, 14:14

Re: Audit Message

Hi,

Yes, I'll create an user for you. Module Free Style Support is not in production, that means you can change parameters.

Sorry, how can I send to your credentials? I can't see how to make private this thread.
Abel Bartolome

Abel Bartolome

10 November 2017, 09:02

Re: Audit Message

Hi Harry,

Now after trying to change permissions to avoid that any user that konws the full URL to admin view can see all tickets without user/pass I had another problem.

Message:
An error has occurred.

0 Cannot access protected property FsssModelFuser::$user


....
and now way to add new users on Permissions and no way to change permissions of current handlers on Permissions per user.

Any idea about how to remove this "protected access"?

Thank you,
 

PermitsProblem-5.JPG

28.85 KB
Harry Shaw

Harry Shaw

10 November 2017, 09:03

Re: Why ?view=admin_support on URL is able to see all tickets

Hello,

Can you either open a support ticket with us (this is completely private) or email the credentials to freestyle.joomla1@gmail.com!

Thanks in advance

Harry Shaw
Freestyle Joomla
Abel Bartolome

Abel Bartolome

10 November 2017, 13:37

Re: Why ?view=admin_support on URL is able to see all tickets

Vote For Us!

Please vote for our software or write a review of one of our products on the Joomla! Extensions Directory