All In: The Advanced Member Import

Advanced Search

View of User Groups and History

Permalink Browser Info Environment
It would be nice to be able to limit users view of User Groups to the groups that they can add users to. I usually have tons of User Groups as I deal with a lot of schools. I don't want them to be able to see the other User Groups from other schools. Also, if a User Group was at the end of the list they would have to scroll past all of the other User Groups in order to find theirs.

It would also be nice to only have users see their own import history rather than those of everyone that has done an import on the system.

However, this is a great add-on and is a life savor for me and all of my users. It makes it so much easier to sell my product as teachers at schools would not want to enter every single student they have into the system one-by-one. Thank you so much for putting this together and updating it.
Type: Discussion
Status: In Progress
pbhanney
View Replies:
pbhanney replied on at Permalink Reply
pbhanney
I also have found a major security breach with this problem. A user that can import users with this add-on can import a user into ANY group, including Administrators. They can then use that imported user to gain access to ANY part of a website.

concrete5 Environment Information

# concrete5 Version
Core Version - 8.4.2
Version Installed - 8.4.2
Database Version - 20180716000000

# concrete5 Packages
All In: The Advanced Member Import Add On by ampersandApps (1.0.4), Stucco (2.1.6)

# concrete5 Overrides
None

# concrete5 Cache Settings
Block Cache - On
Overrides Cache - On
Full Page Caching - Off
Full Page Cache Lifetime - Every 6 hours (default setting).

# Server Software
Apache

# Server API
cgi-fcgi

# PHP Version
5.6.30

# PHP Extensions
bcmath, bz2, calendar, cgi-fcgi, Core, ctype, curl, date, dom, ereg, exif, fileinfo, filter, ftp, gd, gettext, gmp, hash, iconv, imagick, imap, intl, ionCube Loader, json, libxml, mbstring, mcrypt, mhash, mssql, mysql, mysqli, odbc, openssl, pcre, PDO, pdo_mysql, pdo_sqlite, Phar, posix, pspell, Reflection, session, SimpleXML, soap, sockets, SourceGuardian, SPL, sqlite3, standard, tidy, tokenizer, wddx, xml, xmlreader, xmlrpc, xmlwriter, xsl, Zend Guard Loader, zip, zlib

# PHP Settings
max_execution_time - 30
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 60
max_input_vars - 1000
memory_limit - 256M
post_max_size - 64M
sql.safe_mode - Off
upload_max_filesize - 64M
mssql.max_links - Unlimited
mssql.max_persistent - Unlimited
mssql.max_procs - Unlimited
mssql.textlimit - Server default
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
odbc.max_links - Unlimited
odbc.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - <i>no value</i>
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5

Browser User-Agent String

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You may not request a refund that is not currently owned by you.