hasRole() function: potential critical bug

Kirby 2 Issues 🐛
1

I try to do a login based page, and all works well, except a potential critical bug.

I created roles in my local config.php (admin, editor, client) as shown in doc and filter content with:

<?php if($site->user()->hasRole('admin')): ?>
<?php $clientprojects = $page->children() ?>
<?php else: ?>
<?php $clientprojects = $page->children()->filterBy('hasaccess', $username) ?>
<?php endif ?>

Then I have uploaded my code on a live test server, forgetiing to set roles in the test server config.php file.

Despite the fact I was logged with a (non existant role) “client” account, I had access to all projects (and access to panel, but this is normal). The weird thing is my user was listed as an editor in panel, so his role was not admin but it has access to all.

I think that somewhat the default role when user role doesnt exist is set to admin or the hasRole() function is not enough strict to filter users if roles are missing in config.php.

Maybe I done things wrong, tell me how I can test it further.

edit: I also tested hasRole()->isNotEmpty() for securing the condition, but it throws a php error.

2

You don’t use the same config.php on local and remote? I would put all basic settings into a general config file and use additional config files for local/remote settings (for example, caching and license only on remote), as explained in the docs.

By the way, since we now have permissions, it would make sense to define the roles in the roles folder, anyway.
https://getkirby.com/docs/panel/roles

3

I have 1 config file per server, I assumed that they were used individually and not appended to the config.php file. Is it the case ? I just forgot to copy my roles on all my configs files.

OK for the roles folder, I will use that. I think there is still a bug for people using the config file.

4

Well, the environment specific config settings are in fact appended to the config file.

Was that user the only Panel user or was there an admin user as well? The last user is always an admin user.

Feel free to open an issue on GitHub.

5

ok, cool for the config file, maybe say it in the doc because it’s not clear.
There was an admin user (and other users), the user was noted as “editor” in panel. the last user created is admin, or it’s just the default display? What do you mean?

6

What I meant was that if there is only a single user left, this user is automatically the admin. But this does not seem to be the case in your setup.

Edit: Maybe your are right that the docs are not explicit enough, although the section that I meant definitely talks about additional config files.

7

Yes, I use differants config files (and it’s great!) altough I just assumed that 1 domain = 1 config file, like the doc said. I had no idea that files append, nor how they append, nor how conflict are ruled.

So I had 1 defaut config file, and 2 other (local and test server) with duplicated content and some restrictions for local/test config. I had no idea that config file was used as default for all, it could have lead to baaad things :slight_smile:

So know I’m gonna rethink the config logic and refactorize it.