FIX - modules accesible by groups points

Posted: Tue Aug 22, 2006 6:14 am

I;ve noticed links from modules block can be be accesesd by any registered user even modules are set to a specific group.
(Regardless points of user any module can be accessed).
in file html/modules.php line 50
find

Quote:

} elseif($view == 1 AND (is_user($user) OR is_group($user, $name) OR is_admin($admin))) {

replace with

Quote:

} elseif($view == 1 AND (is_user($user) AND is_group($user, $name) OR is_admin($admin))) {

In this way modules will be accesible by points of user as they should be.

registered · Posted: Tue Aug 22, 2006 6:47 am

This edit is not right. Are you sure that you were not logged in as admin when you were testing this. The original code is proper I believe.

Posted: Tue Aug 22, 2006 6:52 am

BTW, I am looking at this more closely now. Neither approach looks right to me right now... give me a bit.

Posted: Tue Aug 22, 2006 6:56 am

Ok, I've looked at the function definition for is_group and the original code is working properly. Please make sure you were not logged in as admin AND also check the Edit Groups/Points and check to see if the module points is still 0.

Posted: Tue Aug 22, 2006 6:58 am

I'm very sure.
Maybe my english is not good enough to cleary explain, but I see like this:
is_user($user) OR is_group($user, $name)
acces will be granted no matter if user belong to a group cuz is_user($user) - first condition accomplished, ignored second
(is_user($user) AND is_group($user, $name)
acces will be granted only if user is user AND belong to a group
(function is_group define if user is on a group or not)
Besides I tested this with 3 groups defined and different user with different amount of points and is working right.(regarding modules access, hope it wont screw up something in other place - but I didn't noticed such thing)

Posted: Tue Aug 22, 2006 7:07 am

Oh, I see it now... Embarassed

However, for clarity sake, I added an additional set of parenthesise, even though I believe based on the PHP execution rules it would be working just fine.:

} elseif($view == 1 AND ((is_user($user) AND is_group($user, $name)) OR is_admin($admin))) {

If you agree, I will also make that change to the upcoming 2.10.00 release code.

Posted: Tue Aug 22, 2006 7:16 am

Just tested, is working also with additional set of parenthesise just fine.

Quote:

If you agree, I will also make that change to the upcoming 2.10.00 release code.

Of course I agree, that's why I try to find and correct problems, to have a better future version.

Posted: Tue Aug 22, 2006 7:24 am

Enforcer, thanks for bringing this up!

Wave

Posted: Tue Aug 22, 2006 7:38 am

NP, if I'll find such issues I'll let you know Smile

As a side note, I started to work on a alternative mail sending using SSL (Gmail for example) for ppl that have mail() function disabled.
This present any interest or better let it go? (I ask this looking to skip activation patch - 40 views, 1 comment, 0 dowloads)

Posted: Tue Aug 22, 2006 7:41 am

In case anyone is interested, for 2.10.00, the code was changed as follows:

Code:




      if ($view == 0) {


         $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


      } elseif ($view == 1 AND ((is_user($user) AND is_group($user, $name)) OR is_admin($admin))) {  //RN0000119, RN0000317


         $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


      } elseif ($view == 2 AND is_admin($admin)) {


         $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


      } elseif ($view == 3 AND (paid() OR is_admin($admin))) {  //RN0000119, RN0000317


         $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


      } elseif ($view > 3 AND in_groups($groups)) {


         $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


      }

This had another bug fix in it where the admin was not seeing all of the modules as he/she should.

Posted: Wed Nov 01, 2006 8:32 pm

Enforcer, are you sure that bit of code worked? The RavenNuke 2.10.00 QA Team found an issue with this. Are you sure this one line shouldn't be this?

} elseif ($view == 1 AND ((is_user($user) AND is_group($user, $m_title)) OR is_admin($admin)))

Posted: Wed Nov 01, 2006 8:44 pm

I am using this on 2.02.02 exactly as I initially posted and I have no problems at all, I am using groups since then, I have over 800 users and no one complained about groups not working.
In fact groups not working problem encoutered on first install of RN 2.02.02 leads me to this fix.
About

Code:

} elseif ($view == 1 AND ((is_user($user) AND is_group($user, $m_title)) OR is_admin($admin)))

dunno what to say, I don't think is working, but I have to try this first.
EDIT:
Maybe this formula is correct for new version as I don't know what is changed.

Posted: Wed Nov 01, 2006 9:05 pm

Your original had is_group($user, $name), but $name really needs to be $m_title I think. $name will not have a value as far as I am able to tell so far.

Posted: Wed Nov 01, 2006 9:20 pm

Originally was
} elseif($view == 1 OR (is_user($user) OR is_group($user, $name) OR is_admin($admin))) {
And I replaced with
} elseif($view == 1 AND (is_user($user) OR is_group($user, $name) OR is_admin($admin))) {
Looking at
function is_user($user)
and
function is_group($user, $name)
I can't see any reference to $m_title, furthermore $m_title define modules title (title, custom title) and I can't see how is related to groups access.

Posted: Wed Nov 01, 2006 9:31 pm

Your original post was related to group points system which is what I thought we were talking about. The function is_group() is looking to the have module name passed into it in the second parameter. The reason why is that it needs to check the user's points associated with the points group level that module requires in order to be visible to that user (I think - I don't claim to be a "points" expert, because I am more into NSN Groups myself).

If you look above this code right after where the sql fetch is done, the module title is being placed into the $m_title variable. At least that is the case with the 3.2/3.3 patches (possibly prior to, but not sure). So, I wonder if there is a patch difference here.

For what it is worth, here is the complete "fixed" code that I have for 2.10.00:

Code:




$result3 = $db->sql_query('SELECT * FROM ' . $prefix . '_modules WHERE active=1 AND title!=\''.$def_module.'\' AND inmenu=1 ORDER BY custom_title ASC');


while ($row3 = $db->sql_fetchrow($result3)) {


    $groups = $row3['groups'];


    $m_title = stripslashes($row3['title']);


    $custom_title = $row3['custom_title'];


    $view = intval($row3['view']);


    $m_title2 = ereg_replace('_', ' ', $m_title);


    if (!empty($custom_title)) {


        $m_title2 = $custom_title;


    }


    if ($m_title != $main_module) {


        if ($view == 0) {


            $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


        } elseif ($view == 1 AND ((is_user($user) AND is_group($user, $m_title)) OR is_admin($admin))) {  //RN0000119, RN0000317


            $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


        } elseif ($view == 2 AND is_admin($admin)) {


            $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


        } elseif ($view == 3 AND (paid() OR is_admin($admin))) {  //RN0000119, RN0000317


            $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


        } elseif ($view > 3 AND in_groups($groups)) {


            $content .= '<strong><big>&middot;</big></strong>&nbsp;<a href="modules.php?name='.$m_title.'">'.$m_title2.'</a><br />';


        }


    }


}


$db->sql_freeresult($result3);

Posted: Wed Nov 01, 2006 9:39 pm

Yes, about group points system I'm talking,
Like I said before, unfortuantelly I'm not good at explainig things and my english level don't help me either.
On top of that here is 5AM.
Sorry if I create any confusion.
I'll look into this myself and I'll report if I'll see problems.

Posted: Wed Nov 01, 2006 10:01 pm

I have tested in this way:
I replaced is_group($user, $name) with is_group($user, $m_title).
I set my points to a certain level, under minimum allowable points using a query.
UPDATE nuke_users SET points = 10 WHERE username= 'Enforcer';
I loged off as admin, loged in as user and I was able to access all modules regardless groups asignated.
I changed back to is_group($user, $name) and everithing worked as supposed.
You can test yourself, won't take more that 10 minutes, create 2-3 groups, assign 2-3 modules, set your points under lower group points, log off as admin, log in as user and see what's happend. Then put is_group($user, $name) back and try again.
You'll see yourself wich formula works.

Posted: Thu Nov 02, 2006 6:35 am

Well, don't know what to tell you. Here is my setup and $name does not work but $m_title does:

1) Added Points Group "Group1" and gave it 10 points

2) Added new user "Test1" and gave him 0 points

3) Went into modules administration, set Encyclopedia as "Registered Users Only" (which is required for the points system to work) and then selected points group "Group1".

With $name here is what I saw:

a) Logged out of admin and Encyclopedia does not show (good)

b) Logged in as Test1 and Encyclopedia shows (remember that my user has 0 points at this point in time). (bad)

With $m_title here is what I get:

a) Still logged out of admin and logged out of "Test1".

b) Encyclopedia does not show in the block (good).

c) Logged in as "Test1" and Encyclopedia does NOT show in the block (good).

d) Edit nuke_users table and set Test1's points to 15.

e) Refreshed the brower, and now Encyclopedia shows in the block (good).

Enforcer, I don't know what or how you are testing, but both Raven and I have validated (with a debugger tool) that $name is undefined within this block of code and therefore should not work. My testing validates this as well.

Posted: Thu Nov 02, 2006 6:44 am

I was testing in same way as you.
It look like somewhere is a difference in codes we are testing, but can't see where.
Obviously you should use what is working on new version.
Also if you want I can give you full access to my instalation files and database to see I don't telling you crap.