View Issue Details

IDProjectCategoryView StatusLast Update
0000109XMB1Bugspublic2008-08-22 03:39
ReporterHoodedMan Assigned Tokuba1  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.9.10 
Target Version1.9.11Fixed in Version1.9.11 
Summary0000109: User Access List problems
DescriptionI'm having a few problems with the user access list. I have a forum (not a subforum) that should be visible and accessible only to the users on the user access list. As some of these users are not staff, I have extended all permissions down to Member.

This has yielded interesting results. As a guest, I cannot see the forum, and as a member I cannot see the forum unless I am on the user access list. However, a Super Moderator who is not on the user access list was able to see the forum and I was able to reproduce that result.

However, I don't quite understand it. The code for subforums looks normal to me; it uses checkForumPermissions() and checks for X_PERMS_VIEW && X_PERMS_USERLIST like the rest of the code, but I don't quite get the code for forums.
Additional Informationhttp://forums.xmbforum.com/viewthread.php?tid=764994
http://forums.xmbforum.com/viewthread.php?tid=772879

This bug originated in the version 1.9.9 code base.
TagsAPI
MySQL Version
PHP Version
Web Server
Browser
Flags
Original Reporter
SVN Revision1251
Git Commit

Relationships

child of 0000117 closedmiqrogroove Make Forum Permissions More Modular, Consistent 

Activities

kuba1

2008-08-10 15:19

reporter   ~0000030

This item just needs consistency in application throughout XMB wherever permissions are used. I plan to use viewer||userlist throughout.

miqrogroove

2008-08-10 16:35

administrator   ~0000031

One of the oddballs to look out for is post quoting. That happens in the middle of post.php and comes with its own perms check.

kuba1

2008-08-11 19:24

reporter   ~0000032

3 lines in forumdisplay.php edited and permissions tested on test site.

miqrogroove

2008-08-11 20:32

administrator   ~0000033

Um. Are you done? Do you want me to do the rest of it? :P

kuba1

2008-08-12 07:52

reporter   ~0000034

Nope. Not done. Permissions edits in all of the following files:

post.php
stats.php
today.php
topicadmin.php
viewthread.php
misc.php

Will be testing tonight and will commit if tests are passed.

miqrogroove

2008-08-12 10:50

administrator   ~0000035

Remember to hit functions.inc.php as well.

kuba1

2008-08-12 22:06

reporter   ~0000036

function forum, function forumlist

I'm committing the changes now. Will test more tomorrow and close this item if tests are good.

So far, so good permissions are working well.

kuba1

2008-08-12 22:11

reporter   ~0000037

also 1238 and 1239
all changes committed.

miqrogroove

2008-08-12 22:45

administrator   ~0000038

Let me do a code search to eliminate some of the guesswork here...

viewthread.php
post.php
member.php
index.php
vtmisc.php
topicadmin.php
today.php
stats.php
misc.php
functions.inc.php
online.inc.php
forumdisplay.php

miqrogroove

2008-08-16 14:46

administrator   ~0000039

I'm going to add some API stuff this afternoon. Are you still working on this permissions issue?

kuba1

2008-08-16 17:59

reporter   ~0000040

Yes I am. It has been neglected a few days, but will finish the other files this weekend. Should be able to commit the rest tomorrow.

miqrogroove

2008-08-16 19:17

administrator   ~0000041

Finished up the remaining files so that I can commit pending API changes.

Also, it was necessary to change function checkForumPermissions() as it turned out the underlying problem was a bug we picked up from the 1.9.9 code base.

To patch the 1.9.10 branch, revisions 1237 through 1240 would need to be ported.

miqrogroove

2008-08-16 23:35

administrator   ~0000043

Guests aren't being handled properly now in checkForumPermissions().

miqrogroove

2008-08-17 03:02

administrator   ~0000044

More tweaks were needed. Ugh! The fix for this issue now consists of parts of revisions 1237 through 1240, 1249, and 1251. But there are a lot of API changes going on with the 1.9.11 code while I'm shaking out these userlist bugs. I've added 0000124 as well, which is causing PHP warnings in the userlist feature.

Issue History

Date Modified Username Field Change
2008-08-10 14:39 miqrogroove New Issue
2008-08-10 14:39 miqrogroove Original Reporter => HoodedMan
2008-08-10 14:41 miqrogroove Severity minor => major
2008-08-10 14:41 miqrogroove Status new => confirmed
2008-08-10 14:41 miqrogroove Projection none => minor fix
2008-08-10 15:05 miqrogroove Additional Information Updated
2008-08-10 15:19 kuba1 Note Added: 0000030
2008-08-10 15:19 kuba1 Assigned To => kuba1
2008-08-10 16:35 miqrogroove Note Added: 0000031
2008-08-10 22:16 miqrogroove Original Reporter HoodedMan =>
2008-08-10 22:16 miqrogroove Reporter miqrogroove => HoodedMan
2008-08-11 19:24 kuba1 SVN Revision => 1237
2008-08-11 19:24 kuba1 Note Added: 0000032
2008-08-11 19:24 kuba1 Additional Information Updated
2008-08-11 20:32 miqrogroove Note Added: 0000033
2008-08-12 07:52 kuba1 Note Added: 0000034
2008-08-12 10:50 miqrogroove Note Added: 0000035
2008-08-12 22:06 kuba1 Note Added: 0000036
2008-08-12 22:11 kuba1 Note Added: 0000037
2008-08-12 22:45 miqrogroove Note Added: 0000038
2008-08-16 14:46 miqrogroove Note Added: 0000039
2008-08-16 16:06 miqrogroove Relationship added related to 0000117
2008-08-16 16:06 miqrogroove Relationship deleted related to 0000117
2008-08-16 16:06 miqrogroove Relationship added child of 0000117
2008-08-16 17:59 kuba1 Note Added: 0000040
2008-08-16 19:15 miqrogroove Additional Information Updated
2008-08-16 19:17 miqrogroove SVN Revision 1237 => 1240
2008-08-16 19:17 miqrogroove Note Added: 0000041
2008-08-16 19:17 miqrogroove Status confirmed => resolved
2008-08-16 19:17 miqrogroove Fixed in Version => 1.9.11
2008-08-16 19:17 miqrogroove Resolution open => fixed
2008-08-16 23:35 miqrogroove Note Added: 0000043
2008-08-16 23:35 miqrogroove Status resolved => assigned
2008-08-16 23:35 miqrogroove Resolution fixed => reopened
2008-08-16 23:35 miqrogroove Fixed in Version 1.9.11 =>
2008-08-17 00:30 miqrogroove SVN Revision 1240 => 1249
2008-08-17 00:30 miqrogroove Status assigned => resolved
2008-08-17 00:30 miqrogroove Fixed in Version => 1.9.11
2008-08-17 00:30 miqrogroove Resolution reopened => fixed
2008-08-17 02:58 miqrogroove Tag Attached: API
2008-08-17 03:02 miqrogroove SVN Revision 1249 => 1251
2008-08-17 03:02 miqrogroove Note Added: 0000044
2008-08-22 03:39 miqrogroove Status resolved => closed