Addition to #2190: Displays only vague error message on security relevant operation

Marcel Schmidt · Marcel Schmidt · commit 8d8610560493 · 2021-01-11T21:12:00.000+01:00
diff --git a/src/Libraries/SmartStore.Data/Migrations/MigrationsConfiguration.cs b/src/Libraries/SmartStore.Data/Migrations/MigrationsConfiguration.cs
@@ -115,11 +115,7 @@ public void MigrateLocaleResources(LocaleResourcesBuilder builder)
                 "Geben Sie hier zusätzliche Pfade an, die als Allow-Einträge zur robots.txt hinzugefügt werden sollen. Jeder Eintrag muss in einer neuen Zeile erfolgen.");
 
             builder.AddOrUpdate("Admin.Configuration.Settings.GeneralCommon.DisplayAllows", "Show items for 'Allow'", "Einträge für 'Allow' anzeigen");
-            builder.AddOrUpdate("Admin.Configuration.Settings.GeneralCommon.DisplayDisallows", "Show items for 'Disallow'", "Einträge für 'Disallow' anzeigen");
-           
-            builder.AddOrUpdate("Admin.Customers.CustomerRoles.OnlyAdminsAllowed",
-                "You do not have administrator rights, therefore you are not allowed to modify administrators.",
-                "Sie verfügen über keine Administratorenrechte, daher dürfen Sie Administratoren nicht modifzieren.");
+            builder.AddOrUpdate("Admin.Configuration.Settings.GeneralCommon.DisplayDisallows", "Show items for 'Disallow'", "Einträge für 'Disallow' anzeigen");           
         }
     }
 }
diff --git a/src/Presentation/SmartStore.Web/Administration/Controllers/CustomerController.cs b/src/Presentation/SmartStore.Web/Administration/Controllers/CustomerController.cs
@@ -637,7 +637,7 @@ public ActionResult Edit(CustomerModel model, bool continueEditing, FormCollecti
 
             if (customer.IsAdmin() && !Services.WorkContext.CurrentCustomer.IsAdmin())
             {
-                NotifyError(T("Admin.Customers.CustomerRoles.OnlyAdminsAllowed"));
+                NotifyAccessDenied();
                 return RedirectToAction("Edit", new { customer.Id });
             }
 
@@ -916,7 +916,7 @@ public ActionResult Impersonate(int id)
             // Otherwise, that user can simply impersonate as an administrator and gain additional administrative privileges
             if (!Services.WorkContext.CurrentCustomer.IsAdmin() && customer.IsAdmin())
             {
-                NotifyError(T("Admin.Customers.CustomerRoles.OnlyAdminsAllowed"));
+                NotifyAccessDenied();
                 return RedirectToAction("Edit", customer.Id);
             }
 

Original file line number	Diff line number	Diff line change
`@@ -115,11 +115,7 @@ public void MigrateLocaleResources(LocaleResourcesBuilder builder)`
`115`	`115`	`"Geben Sie hier zusätzliche Pfade an, die als Allow-Einträge zur robots.txt hinzugefügt werden sollen. Jeder Eintrag muss in einer neuen Zeile erfolgen.");`
`116`	`116`
`117`	`117`	`builder.AddOrUpdate("Admin.Configuration.Settings.GeneralCommon.DisplayAllows", "Show items for 'Allow'", "Einträge für 'Allow' anzeigen");`
`118`		`- builder.AddOrUpdate("Admin.Configuration.Settings.GeneralCommon.DisplayDisallows", "Show items for 'Disallow'", "Einträge für 'Disallow' anzeigen");`
`119`		`-`
`120`		`- builder.AddOrUpdate("Admin.Customers.CustomerRoles.OnlyAdminsAllowed",`
`121`		`- "You do not have administrator rights, therefore you are not allowed to modify administrators.",`
`122`		`- "Sie verfügen über keine Administratorenrechte, daher dürfen Sie Administratoren nicht modifzieren.");`
	`118`	`+ builder.AddOrUpdate("Admin.Configuration.Settings.GeneralCommon.DisplayDisallows", "Show items for 'Disallow'", "Einträge für 'Disallow' anzeigen");`
`123`	`119`	`}`
`124`	`120`	`}`
`125`	`121`	`}`
Original file line number	Diff line number	Diff line change
`@@ -637,7 +637,7 @@ public ActionResult Edit(CustomerModel model, bool continueEditing, FormCollecti`
`637`	`637`
`638`	`638`	`if (customer.IsAdmin() && !Services.WorkContext.CurrentCustomer.IsAdmin())`
`639`	`639`	`{`
`640`		`- NotifyError(T("Admin.Customers.CustomerRoles.OnlyAdminsAllowed"));`
	`640`	`+ NotifyAccessDenied();`
`641`	`641`	`return RedirectToAction("Edit", new { customer.Id });`
`642`	`642`	`}`
`643`	`643`
`@@ -916,7 +916,7 @@ public ActionResult Impersonate(int id)`
`916`	`916`	`// Otherwise, that user can simply impersonate as an administrator and gain additional administrative privileges`
`917`	`917`	`if (!Services.WorkContext.CurrentCustomer.IsAdmin() && customer.IsAdmin())`
`918`	`918`	`{`
`919`		`- NotifyError(T("Admin.Customers.CustomerRoles.OnlyAdminsAllowed"));`
	`919`	`+ NotifyAccessDenied();`
`920`	`920`	`return RedirectToAction("Edit", customer.Id);`
`921`	`921`	`}`
`922`	`922`