View Issue Details

IDProjectCategoryView StatusLast Update
0016692phpList 3 applicationInterface - Administratorpublic25-10-12 13:14
Reportercarlo.dambrosio Assigned To 
Status resolvedResolutionfixed 
PlatformPHPList 2.11.7OSRed Hat Enterprise LinuxOS Version 5.8
Product Version2.11.7 
Target Version2.11.8Fixed in Version2.11.8 
Summary0016692: Administrator permissions not correctly applied at first access
DescriptionAdministrator permissions not correctly applied at first access.
Steps To ReproduceUsing SuperAdmin access, create new Administrator user (not Super Administrator) with all privileges but "Change Settings".

Login as new Administrator and all menu are available, also menu of "Change Settings" type.

When clicking on one of these menu error "Access Denied" is reported and all interdicted menu disappear.
TagsNo tags attached.



15-10-12 13:20

administrator   ~0051748

yes, I've noticed that as well. Thanks for reporting. I've increased it to a Major issue.


16-10-12 05:10

reporter   ~0051749

Same problem when you make the database empty : the login and the password for the administrator are not left.
In fact, you have no admin left, no password etc.. in fact all the database is empty.
There is no admin left by default.


16-10-12 12:43

administrator   ~0051750

sorry, but 0016692:0051749 is a silly note. If you mess around with the database yourself, than that's your own problem. The database should not be touched directly.


16-10-12 19:57

reporter   ~0051751

It is necessary to empty the database sometimes for many reasons. You delete users and their numbers which become free are not used anymore etc..
You delete messages and the counter never comes back to 1 etc...
So sometimes, it is better to put the counters back to 1.
So you empties all the files which is a command which exists in mysql and which normally does not alter your files, only data are removed.
In these datas, the datas for the admin by default is also removed but the database is still there with his parameters. If you initialize it, everything is ok, except the admin and his password by default which are not created. It is the same for the list by default (test) which is not created.
These two parameters (admin and list by default) are only created when you load the database. They should be also created when you initialize the database.


16-10-12 23:43

administrator   ~0051752

please note the version reported 2.11.7 are you using the same version?

when you wipe the DB, you will need to restart your browser, as certain DB information is cached in the session, and when you wipe the DB this information becomes incorrect.


18-10-12 00:42

reporter   ~0051753

Hi, I found a workaround, this is code I added in /admin/index.php, after line #252:

      $_SESSION["adminloggedin"] = $_SERVER["REMOTE_ADDR"];
      $_SESSION["logindetails"] = array(
        "adminname" => $_REQUEST["login"],
        "id" => $loginresult[0],
        "superuser" => $admin_auth->isSuperUser($loginresult[0]),
        "passhash" => sha1($_REQUEST["password"]),
      ); --> Line 252
      #Carlo D'Ambrosio - 2012-10-18 - Add-on to filter menus on first load
      #Carlo D'Ambrosio - 2012-10-18 - Add-on to filter menus on first load
      if ($_POST["page"] && $_POST["page"] != "") {
        $page = $_POST["page"];

In this way query to database is executed at first access and correct privileges are assigned.

Let me know if that's right.




25-10-12 13:14

administrator   ~0051785

yes, I can confirm this fixes it. Thanks for the great contribution.