Menu
▾
▴
[phpesp-dev] [ phpesp-Bugs-1410940 ] Accessing designer account admin logs you out
|
From: SourceForge.net <no...@so...> - 2006-07-06 15:03:21
|
Bugs item #1410940, was opened at 2006-01-20 10:56 Message generated for change (Comment added) made by axelseaa You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=108956&aid=1410940&group_id=8956 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Admin Group: v1.8 Status: Closed Resolution: Fixed Priority: 5 Submitted By: blentz (blentz) Assigned to: Nobody/Anonymous (nobody) Summary: Accessing designer account admin logs you out Initial Comment: When logged in as a superuser with all ACL abilities, I try to go and modify an existing designer. I can get as far as the "Designers Account Administration" form, but if I click *anything* i.e. Update/Cancel/Delete buttons, Go back to Management Interface link, or even manually try and go to /admin/manage.php, I am booted out and am sent to the Management Login form with "Incorrect User ID or Password, or your account has been disabled/expired." This makes changing or deleting an existing designer impossible. ---------------------------------------------------------------------- Comment By: Aaron Axelsen (axelseaa) Date: 2006-07-06 10:03 Message: Logged In: YES user_id=704595 Depending upon how your webserver is configuered, you can use .htaccess files to change the register globals option. Try something like this: php_flag register_globals 0 Register globals is not only an unsupported phpesp configuration, but it is also a security issue to leave it on. ---------------------------------------------------------------------- Comment By: Matthew Gregg (greggmc) Date: 2006-07-06 09:35 Message: Logged In: YES user_id=14116 Do what you want, don't use phpESP, I don't care. I refuse to do anything to work around globals being on. Get used to it being off. In PHP6 it will no longer be an option AT ALL and will always be off. ---------------------------------------------------------------------- Comment By: blentz (blentz) Date: 2006-07-06 08:39 Message: Logged In: YES user_id=997838 With all due respect, phpESP is not the only PHP application in the world, nor is it the only PHP application on my server. Therefore, I cannot allow phpESP to dictate the setting of register_globals on my server's configuration due to the *other* applications I've got. This is the motivation for the patch I've provided below, which folks seem to be having success with. Perhaps if phpESP used unique variable names in the first place, this entire issue would be moot and we wouldn't be discussing this bug right now. ---------------------------------------------------------------------- Comment By: Matthew Gregg (greggmc) Date: 2006-07-05 22:07 Message: Logged In: YES user_id=14116 register_globals should be OFF. This problem might exist if they are on(an unsupported configuration). Globals are off on my development and production servers and I have no problems. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-07-05 07:57 Message: Logged In: NO I had that problem too, also with admrespondents, also for me is a must to have register_globals=On, so I used the patch, and it works great (v 1.8.2) but you must remove manually some extra variables at admrespondent.inc. Thanks a lot!!!!! ---------------------------------------------------------------------- Comment By: Matthew Gregg (greggmc) Date: 2006-06-23 10:27 Message: Logged In: YES user_id=14116 Are you using version 1.8.2 and do you have register_globals on or off? ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-06-23 10:09 Message: Logged In: NO I'm having the same problem. Can someone give me some instructions for how to install the patch. Sorry, I'm a noob at this. ---------------------------------------------------------------------- Comment By: blentz (blentz) Date: 2006-03-16 13:28 Message: Logged In: YES user_id=997838 Please try to use the patch I attached to this bug report back in January. It will fix your problem. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-03-16 12:47 Message: Logged In: NO I am having the same issue... I am going to rrot out my bad account thru MySQL... But you are right, we are unable to mod, del, and created account using phpESP. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-03-03 08:04 Message: Logged In: NO Same Problem! ---------------------------------------------------------------------- Comment By: blentz (blentz) Date: 2006-01-23 22:21 Message: Logged In: YES user_id=997838 I'm guessing you're both right; problem is that I have other PHP applications on the system that require register_globals. I've created a patch from the changes by R. Schroeder, can be applied to the phpESP source tree using: patch -p0 < phpESP-1.8.patch Tested, corrects this bug. Perhaps this patch could be incorporated into the next release, making the Administer Respondants and Administer Designers work on systems with register_globals? ---------------------------------------------------------------------- Comment By: Matthew Gregg (greggmc) Date: 2006-01-23 18:50 Message: Logged In: YES user_id=14116 I believe this bug is only present when register globals is on(an unsupported configuration). But I could be wrong. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-01-23 17:56 Message: Logged In: NO Check around line 180 in admdesigner.inc. My modifications are below to fix conflicting variable names. Similar fix applies to admrespondent. /* load ACL */ if(!empty($u) && !empty($r)) { $sql = "SELECT * FROM ".$GLOBALS['ESPCONFIG']['designer_table']." WHERE username=$u AND realm=$r"; $result = execute_sql($sql,"",ADODB_FETCH_ASSOC); if($arr = fetch_row($result)) { /* foreach(array( 'username', 'realm', 'fname', 'lname', 'email', 'pdesign', 'pstatus', 'pdata', 'pall', 'pgroup', 'puser', 'disabled', 'expiration') as $col) { $$col = $arr[$col]; } $u =& $username; $r =& $realm; */ // Ryan Schroeder - assign manually to avoid conflicting with $username $u = $arr['username']; $r = $arr['realm']; $fname = $arr['fname']; $lname = $arr['lname']; $email = $arr['email']; $pdesign = $arr['pdesign']; $pstatus = $arr['pstatus']; $pdata = $arr['pdata']; $pall = $arr['pall']; $pgroup = $arr['pgroup']; $puser = $arr['puser']; $disabled = $arr['disabled']; $expiration = $arr['expiration']; if(intval($expiration) > 0) { $ex_year = substr($expiration,0,4); $ex_month = substr($expiration,4,2); $ex_day = substr($expiration,6,2); } else { $ex_year = ''; $ex_month = ''; $ex_day = ''; } } else { $errstr .= mkerror(_('Account not found.') .' ('. ErrorMsg() .')'); } } ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=108956&aid=1410940&group_id=8956 |
