nick_iFactory Posted September 27, 2013 Share Posted September 27, 2013 I have created a couple of categories that I do not want to be visible to anyone unless they are logged in and in a special group I have created and added them to manually. I created the groups and in "Group access" I unchecked Visitor, Guest and regular Customer and checked my custom group. I tested this by logging out and trying to go to the individual product page and category page and I got the error saying I did not have access, so it was working properly. However when I copied the url link (eg. http://www.mysite.com/index.php?controller=attachment&id_attachment=4) to one of the attachments to a product I was able to get to it without being logged in. With a little more investigation it seems we can easily change the "id_attachment" variable and gain access to all attachments regardless of access permissions. Checking the attachment controller I found it had no security checks at all. This is a problem for me as it is the attachments my client does not want to be accessible to the public. I am wondering if there is an update where security is added here or perhaps a module which has proper attachment security. Link to comment Share on other sites More sharing options...
JohnADK Posted October 16, 2013 Share Posted October 16, 2013 Anyone who can respond? I am also interested in this functionality. Link to comment Share on other sites More sharing options...
mjpl Posted November 19, 2013 Share Posted November 19, 2013 Hey Guys, I found the solution for you, check this link: http://www.prestatraining.com/display-categories-products-specific-groups/ Cheers, Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now