"DELETE USER" FOR EVERYBODY in 4.5.1f

[roblaus]

Sorry, I had to post this once again to make sure it gets attention:

I appreciated the "old" way of not being able to delete a user for various reasons. But it's exactly the other way round now - EVERYBODY can go to "Employees" (on top of the screen), choose one or more users and simply delete them (including himself).

This is enormously dangerous and I believe renders most of the implementations useless!

Can somebody PLEASE point me to a quick fix? I am not a programmer but I can cut and paste, delete or comment something out.

Thanks in advance
rl

PS: I am on the "f" version, 6.06LTS, mysql5

[pblag]

Hi Roblaus!

We have developed hot fix for your SugarCRM.

You can download the file

here

Be careful this file is for SugarCRM Open Source 4.5.1f

If you have any other questions about SugarCRM feel free to contact us.

[roblaus]

Hi,

Tx, it did the trick. I still wonder how such a serious issue could have gone unnoticed...

However, 5.0b2 has a similar issue - user deletion isn't possible but editing is - again for everybody...

rgds
rl

[andydreisch]

This has been fixed in 451g (bug 16658). 451g is due within days.

Andy

[bartfai]

Or maybe dont!

I downloaded 451g, but EVERYBODY can go to "Employees" (on top of the screen), choose one or more users and simply Edit them. Why?

[andydreisch]

Hi bartfai, this is not what I see on 451g demo system.

Sure, the admin user can select an employee and edit the employee.

But any "normal" (non-admin) user can only view, not edit, an employee.

Andy

[bartfai]

I have other one quastion.

Is the user (will) in the demo is a normal user (non-admin)?
Because 'will' can edit every user in the Employee with pencil icon. Its normal?

Sorry my english

[kuske]

I fixed the delete-problem by a little mySQL trick.
Since mySQL is able to define triggers I defined a trigger which prevents the delete column to be set to 0.

Code:

DELIMITER $$
DROP TRIGGER IF EXISTS tr_upd_users$$
CREATE TRIGGER tr_upd_users BEFORE UPDATE ON users
FOR EACH ROW
BEGIN
   IF NEW.deleted = 0 THEN
      SET NEW.deleted = 1;
       -- here you can define additional actions to remember that somebody tried to delete a user
   END IF;
END$$

DELIMITER;

Be careful then working with triggers.

hk

[andydreisch]

Hi bartfai and others, thanks for following through on this. I was looking only for the delete case in my tests. But based on bartfai's input I ran a few more tests and confirmed two issues:

Bug 17344 -- it is possible for a non-admin user to set 'IsAdmin' via Mass Update to oneself (or others)
Bug 17345 -- it is possible for a non-admin user to edit other Employee records.

You can monitor our fixes for these in the Bug Tracker (see the link for the Bug Tracker in my signature).

Andy

[andydreisch]

OK, an update on this.

Bug 17344 (It is possible as a non-admin user to set IsAdmin=Yes to oneself via Employees Mass Update) actually has been fixed in the 451g release. The demo system has been updated to incorporate this fix. You'll see that if you build your own demo here.

Bug 17345 (It is possible as a non-admin user to edit other Employee records) remains queued for a subsequent patch, possibly 451h.

Andy