Hi,

Is it possible that in the previous version their is a bug in the security of the module localisations? It seems I can adjust the module settings although the user logged in, has no edit rights for the module...

Kind regards,

M.

Hoi Locopon,

Let me try to explain more what I ment: 

It seems that, through the DSTabLocalizator, people who has no acces to some of the modules (using the default role settings of DNN), can change the visibility of modules for which they do not have normal edit rights.

For example:

I created a new test role, and a new test user. Then I give the user edit acces to a new test page, but to nothing else.

This user is now able to:

• Localize the test page (which is exactly what I wanted)
• Hide modules for some languages on EVERY page, not only the test page. This is NOT what I expected. It seems to me that that should have been only the modules of the test page.

My previous test, was with the 01.00.20 version in DNN 3.X. I just tested it with version 01.00.23 in DNN 4.0, and it seems that this contains te same problem.

Kind regards,

Michel

Ok, let's try again. This are the steps I performed.

1. Brand new installation of the DetNetNuke 4, only added a few languages for testing
2. Logged in as "Host"
3. Added the DSTabLocalizator on the homepage
4. Installed the Hack
5. Created a new role "Testers", in the Global Roles Group. (Not Public, not Auto Assign)
6. Created a new user "Tester"
7. Added the "Testers" role to the "Tester" user
8. Created a "TestPage", to which only admins has "View" and "Edit" Permissions
9. Checked the Permissions settings of the default added Text/HTML module on the TestPage (Only admins should have edit rights to this module. (Also changed the Moduletilte to "TestModule")
10. Went to the page on which I added the DSLocalizator (the homepage)
11. Changed the permissions of the page (gave "all users" and "Testers" roles edit and view rights on the page)
12. Changed the settings of permission settings of the DSLocalizator module (checked of the inherit view permissions, give "all users" and "Testers" torl edit and view rights on the module)
13. Logged out
14. Logged in as "Tester"
15. Went to the page on which I added the DSLocalizator (the homepage)
16. Clicked on Tab Localization of the DSLocalizator => Now I get a list of pages I can edit (only homepage). This is correct.
17. Went back to the homepage, and clicked on the Module Localization link of the DSLocalizator module
18. Checked the Tablist, and now I see all the pages. Select the TestPage
19. Select the TestModule (the default added module)
20. Checked the hidden checkbox for this module for this culture, and clicked "update"
21. Logged out
22. Logged in as "Host"
23. went to the "testpage"
24. Added the DSLocaleSelector
25. Went to the language for which I hided the TestModule => The TestModule is not visible

Conlusion:

In this case, as the "Tester" user, I was able to hide a module for which I do not have edit (and view) rights, on a page for which I did not have edit (and view) rights.

I realy like your module, but if I want to give "testers" the possibility to add pages in multiple languages, it seems they have the possibility to mess up my entire site. For me, this is not acceptable.

Question:

Is this a bug in the module, or do I have to set up the permissions of my "testers" on a different way?

Kind regards,

Michel