Submitted by sgrayban on Thu, 03/10/2016 - 03:48
When I suggested the Administrator's Notes module for VM you didn't lock it so that only the Master Admins can see it. As it is now the notes can be seen by any client that logs in and that's not good when admin share sensitive notes that no one should see but the Master Admin's.
Status:
Closed (fixed)
Comments
Submitted by craigh on Thu, 03/10/2016 - 07:10 Pro Licensee Comment #1
I was wondering about this too, but I came to the conclusion that these were not "notes", but a communication tool to post a notice for clients to see when logging in. However, you are right in that clients see a "save" button that just causes an error.
So either this is indeed a notes feature with the bug you describe, or it's a misnamed notices feature that needs to have the "save" button removed in sub-server accounts, and reformatted to be immutable text rather than looking like something the client can edit.
Craig
Submitted by sgrayban on Thu, 03/10/2016 - 07:45 Comment #2
This module was suggested by me a couple years ago and what Jamie and I discussed was to use this module to pass master admin notes to other master admins and not everyone as sometimes we pass password changes and such and user/resellers/domain owners are not suppose to see this at all.
Submitted by JamieCameron on Thu, 03/10/2016 - 23:21 Comment #3
Actually, the notes shouldn't be visible to other (non-root) users at all.
Which Virtualmin theme are you using there?
Submitted by craigh on Thu, 03/10/2016 - 23:23 Pro Licensee Comment #4
I'm using Authentic.
Submitted by sgrayban on Fri, 03/11/2016 - 01:44 Comment #5
I'm using VM Framed theme... The admin notes shows up in all themes as a normal user.
Submitted by JamieCameron on Sat, 03/12/2016 - 00:34 Comment #6
Ok, I found the bug that causes this - it will be fixed in the next Virtualmin release.
Submitted by JamieCameron on Sat, 03/12/2016 - 00:34 Comment #7
Submitted by sgrayban on Sat, 03/12/2016 - 00:59 Comment #8
That's good news... when is the next release happening ?
Submitted by sgrayban on Sat, 03/19/2016 - 03:35 Comment #9
I just saw a update to this module but it's still showing up in non-master admin main frame.
This needs to be fixed as it's unusable and could leak private info between admins.
Submitted by JamieCameron on Sat, 03/19/2016 - 19:18 Comment #10
Sorry, this missed the cut for the 5.01 Virtualmin release - but it will be in 5.02. I can send you a patch if you want a fix sooner though.
Submitted by sgrayban on Sun, 03/20/2016 - 00:20 Comment #11
Thanks but I have too many servers to patch unless you got a deb file to upgrade the admin notes.
Submitted by JamieCameron on Sun, 03/20/2016 - 20:11 Comment #12
The fix is actually in Virtualmin, not in the plugin : https://github.com/virtualmin/virtualmin/commit/734b6dee708eab248a3306b3...
That patch won't be visible (virtualmin/virtualmin is a private repo).
Here it is:
virtual-server/system_info.pl
@@ -614,7 +614,9 @@ sub list_system_info
}
# Sections defined by plugins
-foreach my $p (&list_plugin_sections()) {
+my $level = &master_admin() ? 0 :
+ &reseller_admin() ? 2 : 1;
+foreach my $p (&list_plugin_sections($level)) {
push(@rv, { 'type' => 'html',
'id' => 'plugin_'.$p->{'name'},
'desc' => $p->{'title'},
Submitted by sgrayban on Tue, 03/22/2016 - 02:15 Comment #14
You sure that's correct ??
I added that code and I got a syntax error.
What I have for that section of code is this....
# Sections defined by pluginsforeach my $p (&list_plugin_sections()) {
push(@rv, { 'type' => 'html',
'id' => 'plugin_'.$p->{'name'},
'desc' => $p->{'title'},
'html' => $p->{'html'},
'open' => $p->{'status'} });
}
Submitted by sgrayban on Tue, 03/22/2016 - 02:19 Comment #15
never mind -- I didn't paste the change correctly
It works so thanks for fixing this !!
Submitted by sgrayban on Tue, 03/22/2016 - 02:20 Comment #16
Closing ticket