View Issue Details

IDProjectCategoryView StatusLast Update
0016692phplist applicationInterface - Administratorpublic25-10-12 13:14
Reportercarlo.dambrosio 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformPHPList 2.11.7OSRed Hat Enterprise LinuxOS Version 5.8
Product Version2.11.7 
Target Version2.11.8Fixed in Version2.11.8 
Summary0016692: Administrator permissions not correctly applied at first access
DescriptionAdministrator permissions not correctly applied at first access.
Steps To ReproduceUsing SuperAdmin access, create new Administrator user (not Super Administrator) with all privileges but "Change Settings".

Login as new Administrator and all menu are available, also menu of "Change Settings" type.

When clicking on one of these menu error "Access Denied" is reported and all interdicted menu disappear.
TagsNo tags attached.

Activities

michiel

15-10-12 13:20

manager   ~0051748


yes, I've noticed that as well. Thanks for reporting. I've increased it to a Major issue.

raynau

16-10-12 05:10

reporter   ~0051749

Same problem when you make the database empty : the login and the password for the administrator are not left.
In fact, you have no admin left, no password etc.. in fact all the database is empty.
There is no admin left by default.

michiel

16-10-12 12:43

manager   ~0051750

sorry, but 0016692:0051749 is a silly note. If you mess around with the database yourself, than that's your own problem. The database should not be touched directly.

raynau

16-10-12 19:57

reporter   ~0051751

It is necessary to empty the database sometimes for many reasons. You delete users and their numbers which become free are not used anymore etc..
You delete messages and the counter never comes back to 1 etc...
So sometimes, it is better to put the counters back to 1.
So you empties all the files which is a command which exists in mysql and which normally does not alter your files, only data are removed.
In these datas, the datas for the admin by default is also removed but the database is still there with his parameters. If you initialize it, everything is ok, except the admin and his password by default which are not created. It is the same for the list by default (test) which is not created.
These two parameters (admin and list by default) are only created when you load the database. They should be also created when you initialize the database.

michiel

16-10-12 23:43

developer   ~0051752

please note the version reported 2.11.7 are you using the same version?

when you wipe the DB, you will need to restart your browser, as certain DB information is cached in the session, and when you wipe the DB this information becomes incorrect.

carlo.dambrosio

18-10-12 00:42

reporter   ~0051753

Hi, I found a workaround, this is code I added in /admin/index.php, after line #252:

      $_SESSION["adminloggedin"] = $_SERVER["REMOTE_ADDR"];
      $_SESSION["logindetails"] = array(
        "adminname" => $_REQUEST["login"],
        "id" => $loginresult[0],
        "superuser" => $admin_auth->isSuperUser($loginresult[0]),
        "passhash" => sha1($_REQUEST["password"]),
      ); --> Line 252
      
      #Carlo D'Ambrosio - 2012-10-18 - Add-on to filter menus on first load
      $GLOBALS["admin_auth"]->validateAccount($_SESSION["logindetails"]["id"]);
      #Carlo D'Ambrosio - 2012-10-18 - Add-on to filter menus on first load
      
      if ($_POST["page"] && $_POST["page"] != "") {
        $page = $_POST["page"];
      }

In this way query to database is executed at first access and correct privileges are assigned.

Let me know if that's right.

Bye.

Carlo.

michiel

25-10-12 13:14

developer   ~0051785

yes, I can confirm this fixes it. Thanks for the great contribution.

Issue History

Date Modified Username Field Change
15-10-12 10:37 carlo.dambrosio New Issue
15-10-12 13:20 michiel Note Added: 0051748
15-10-12 13:20 michiel Severity minor => major
15-10-12 13:20 michiel Target Version => 2.11.8
16-10-12 05:10 raynau Note Added: 0051749
16-10-12 12:43 michiel Note Added: 0051750
16-10-12 19:57 raynau Note Added: 0051751
16-10-12 23:43 michiel Note Added: 0051752
18-10-12 00:42 carlo.dambrosio Note Added: 0051753
25-10-12 13:14 michiel Note Added: 0051785
25-10-12 13:14 michiel Status new => resolved
25-10-12 13:14 michiel Fixed in Version => 2.11.8
25-10-12 13:14 michiel Resolution open => fixed