phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016692phplist applicationInterface - Administratorpublic15-10-12 10:3725-10-12 13:14
Reportercarlo.dambrosio 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformPHPList 2.11.7OSRed Hat Enterprise LinuxOS Version 5.8
Product Version2.11.7 
Target Version2.11.8Fixed in Version2.11.8 
Summary0016692: Administrator permissions not correctly applied at first access
DescriptionAdministrator permissions not correctly applied at first access.
Steps To ReproduceUsing SuperAdmin access, create new Administrator user (not Super Administrator) with all privileges but "Change Settings".

Login as new Administrator and all menu are available, also menu of "Change Settings" type.

When clicking on one of these menu error "Access Denied" is reported and all interdicted menu disappear.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0051748)
michiel (manager)
15-10-12 13:20


yes, I've noticed that as well. Thanks for reporting. I've increased it to a Major issue.
(0051749)
raynau (reporter)
16-10-12 05:10

Same problem when you make the database empty : the login and the password for the administrator are not left.
In fact, you have no admin left, no password etc.. in fact all the database is empty.
There is no admin left by default.
(0051750)
michiel (manager)
16-10-12 12:43

sorry, but 0016692:0051749 is a silly note. If you mess around with the database yourself, than that's your own problem. The database should not be touched directly.
(0051751)
raynau (reporter)
16-10-12 19:57

It is necessary to empty the database sometimes for many reasons. You delete users and their numbers which become free are not used anymore etc..
You delete messages and the counter never comes back to 1 etc...
So sometimes, it is better to put the counters back to 1.
So you empties all the files which is a command which exists in mysql and which normally does not alter your files, only data are removed.
In these datas, the datas for the admin by default is also removed but the database is still there with his parameters. If you initialize it, everything is ok, except the admin and his password by default which are not created. It is the same for the list by default (test) which is not created.
These two parameters (admin and list by default) are only created when you load the database. They should be also created when you initialize the database.
(0051752)
michiel (manager)
16-10-12 23:43

please note the version reported 2.11.7 are you using the same version?

when you wipe the DB, you will need to restart your browser, as certain DB information is cached in the session, and when you wipe the DB this information becomes incorrect.
(0051753)
carlo.dambrosio (reporter)
18-10-12 00:42

Hi, I found a workaround, this is code I added in /admin/index.php, after line #252:

      $_SESSION["adminloggedin"] = $_SERVER["REMOTE_ADDR"];
      $_SESSION["logindetails"] = array(
        "adminname" => $_REQUEST["login"],
        "id" => $loginresult[0],
        "superuser" => $admin_auth->isSuperUser($loginresult[0]),
        "passhash" => sha1($_REQUEST["password"]),
      ); --> Line 252
      
      #Carlo D'Ambrosio - 2012-10-18 - Add-on to filter menus on first load
      $GLOBALS["admin_auth"]->validateAccount($_SESSION["logindetails"]["id"]);
      #Carlo D'Ambrosio - 2012-10-18 - Add-on to filter menus on first load
      
      if ($_POST["page"] && $_POST["page"] != "") {
        $page = $_POST["page"];
      }

In this way query to database is executed at first access and correct privileges are assigned.

Let me know if that's right.

Bye.

Carlo.
(0051785)
michiel (manager)
25-10-12 13:14

yes, I can confirm this fixes it. Thanks for the great contribution.


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker