|
Page 1 of 3
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
Hi, I put it in here because I think it could be a bug...
I try to summarize what was this four hours-to-solve problem
Well, in portal and in forum index I have the Quick Links block. I modified it in order to let some link to be shown only by admin, here's the code:
- <div id="main_links2" style="display: none; position: relative; padding-top: 0px; padding-bottom: 0px;">
- <table border="0" cellpadding="0" cellspacing="4" width="100%" class="forumline-no2">
- <tbody>
- <!-- BEGIN mg_switch_user_is_admin -->
- <tr>
- <td align="left" width="8">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left">{ADMIN_LINK}</a></td>
- </tr>
- <!-- END mg_switch_user_is_admin -->
and
- <!-- BEGIN mg_switch_user_is_admin -->
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_DOWNLOADS}">{L_DOWNLOADS}</a></td>
- </tr>
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_DB_GEN}">{L_DB_GEN}</a></td>
- </tr>
-
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_SUDOKU}">{L_SUDOKU}</a></td>
- </tr>
- <!-- END mg_switch_user_is_admin -->
- </tbody>
- </table>
- </div>
-
-
and in "Info" section
- <div id="info_links2" style="display: none; position: relative;">
- <table border="0" cellpadding="0" cellspacing="4" width="100%" class="forumline-no2">
- <tbody>
-
- <!-- BEGIN mg_switch_user_is_admin -->
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_HACKS_LIST}">{L_HACKS_LIST}</a></td>
- </tr>
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_REFERRERS}">{L_REFERRERS}</a></td>
- </tr>
-
- <!-- END mg_switch_user_is_admin -->
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_VIEWONLINE}">{L_WHO_IS_ONLINE}</a></td>
- </tr>
-
- <!-- BEGIN mg_switch_user_is_admin -->
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_STATISTICS}">{L_STATISTICS}</a></td>
- </tr>
- <tr>
- <td width="8" align="left" valign="middle">{IMG_ARROW_RIGHT}</td>
- <td class="genmed" align="left"><a href="{U_SITE_HIST}">{L_SITE_HIST}</a></td>
- </tr>
-
- <!-- END mg_switch_user_is_admin -->
- </tbody>
- </table>
-
-
Very simple, I just used the user_is_admin switch in order to disable some links to users.
Yesterday, navigating the ACP I saw two users playing sudoku, which should have been disabled (I'm monitoring query usage, XS is not kinda... light ), as you can see from the code. I checked the code but I was sure nobody (other admins) had touched it, and so it was. I tried anyway to change something in the code just to see what happened when I saw a thing that astonished me: users and guests could see ACP link and try login.
I spent a lot of time looking for some error in the code but I was wrong 'cause the problem wasn't there. But changing the nav_quick_links.tpl I could see that the Quick Links block in forum index was modified by my changes and the block in portal index wasn't.
So I found it was a caching problem.
So, caching THAT block in portal (I suppose in forum index it's not cached?) causes a very "funny" thing... If I empty the cache I can see what follows:
- Empty cache, an admin logins and load the portal, even guests can see all links.
- Empty cache, a user (even guest) without admin privileges load the portal, admin doesn't see the links as if he wasn't admin.
In a few words first to come decides... (now I'm laughing 'cause I don't want to bore you more than necessary, but I stayed up till four am )
Ok then... I solved for now disabling caching system, but this obviously causes my portal index to generate more than FIFTY queries... and I cannot effort such amount.
Another solution could be totally remove the links... but I'd like to solve it less brutally...
Sincerely I don't know when this thing started, I found it yesterday. Anyway I don't think it has always been like that 'cause when I modified the switch I tested it as admin, user and guest and all worked fine.
Well I think it's all... any suggestion?
|
#1 Mon 16 Oct, 2006 09:51 |
|
Sponsors
|
Icy Phoenix is an open source project, you can show your appreciation and support future development by donating to the project.
|
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
I think this could be a big security problem... ALMighty Gorgon, are you there?
|
#2 Mon 16 Oct, 2006 18:30 |
|
moreteavicar
Joined: August 2006
Posts: 608
Location: Classified
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
This hasn't happend to me, and I also have added mg_switch_user_is_admin to some parts of nav_quick_links.tpl. I have two thoughts here.
1) How sure are you that normal users could see these links? If you are logged in as admin, then ofcourse you will see all these links. I use a test user account with normal user priveledges to check out any changes I make. At the very least, see what happens to nav quick links when you have logged out.
2) Regular users will probably have bookmarked these areas of your site, or else will go by the browser history. Simply hiding links will not prevent regular users from accessing those areas! Unfortunately there are no view permissions for some items, like sodoku, but it isn't hard to add. As it sounds you are not afraid to tweak, you can try encasing the entire tpl of soduku.tpl within <!-- BEGIN mg_switch_user_is_admin --> Do this after:
<tr>
<td colspan="2" class="row-header" nowrap="nowrap"><span>{L_SUDOKU}</span></td>
</tr> Then add <!-- END mg_switch_user_is_admin --> at the bottom, after
<tr>
<td class="row1">
<span class="gensmall">{LOGGED_IN_USER_LIST} {ACTIVE_USER_LIST}</span>
</td>
</tr> but before <table>...
(this is a quick fix - I would be inclined to add another switch for normal users, that enabled a message to be displayed, such as "You are not authorised to access this"... this would require some extra logic within sodoku.php (or even page_header.php) to check that user is not admin, then parse an appropriate template variable. This is done as follows. In includes/page_header.php, a line before $template->pparse('overall_header'); add:
if ($userdata['user_level']!=ADMIN)
{
$template->assign_block_vars('switch_user_not_admin', array());
}
and then in sodoku.tpl, after <!-- END mg_switch_user_is_admin --> add:
<!-- BEGIN switch_user_not_admin -->
<tr>
<td class="row1">Sorry, you are not authorised to access this!</td>
</tr>
<!-- END switch_user_not_admin -->
Let me know if that works!
|
#3 Tue 17 Oct, 2006 00:28 |
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
First of all, thanks for the answer
This hasn't happend to me, and I also have added mg_switch_user_is_admin to some parts of nav_quick_links.tpl. I have two thoughts here.
1) How sure are you that normal users could see these links? If you are logged in as admin, then ofcourse you will see all these links. I use a test user account with normal user priveledges to check out any changes I make. At the very least, see what happens to nav quick links when you have logged out.
Oh God... maybe I'm noob but not SO much...
Of course I checked logging out (as guest), with my own test account and with 3 other users too... I wouldn't post here if I wasn't sure
Quote:
2) Regular users will probably have bookmarked these areas of your site, or else will go by the browser history. Simply hiding links will not prevent regular users from accessing those areas!
This could be right if I hid those links AFTER they accessed them... but since I opened the site they've always been hidden. Switched worked, I tried it personally (as guest, test user and bla bla bla ) and even if cached it showed a different quick links block for admins and for others.
The switch stopped to work yesterday apparently without reason. It seems that having cached the block, it loads the page without checking whether user has admin privileges or not (ONLY FOR THAT BLOCK IN PORTAL).
Quote:
Unfortunately there are no view permissions for some items, like sodoku, but it isn't hard to add. As it sounds you are not afraid to tweak, you can try encasing the entire tpl of soduku.tpl
Uhm... mine is not a sudoku problem
Even if I upload the original nav_quick_links.tpl the switch doesn't work for that block when loaded in portal (this in bold is quite important)
You know, ACP link should be disabled by default (to normal users)! And it is visible to guests too... I really don't think that fixing the entire sudoku.php could help... actually, I appreciate your suggestions and I'm not afraid to tweak of course but I don't think I need a workaround, because the switch worked till yesterday. Couldn't it be "simply" a caching problem?
I'm not a programmer, don't know if the point is this but in rough words I think that portal page loads the block WITHOUT checking whether user is admin or not. And this is kinda... bad. Am I wrong?
|
#4 Tue 17 Oct, 2006 02:38 |
|
moreteavicar
Joined: August 2006
Posts: 608
Location: Classified
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
Uhm... mine is not a sudoku problem
Is that so? I thought you said this in your your first post:
Vortex wrote: Yesterday, navigating the ACP I saw two users playing sudoku, which should have been disabled (I'm monitoring query usage, XS is not kinda... light ), as you can see from the code.
What I am suggesting is a fireproof way to prevent users from accessing sodoku, and likewise the same principle can be applied to anything else you wish to prevent access to. Even if the user sees the option to access it, they cannot use it. Surely thats better: consider also that even if your site is fresh, with hidden options, a user can also access so called "hidden areas" if they have accessed other phpBBXS based sites (or use phpBBXS themselves), because they will know the relative links to access them.
As for the caching issue, I don't think the extreme styles caching system itself will cause that, but to confirm, you can check cache/tpl_ca_aphrodite.nav_quick_links.php - if you see your admin switch lines are in the code, then there is something else not right.
Mentioning caching - are you using the same browser to test these things? How is the browser cache itself configured? Try clearing browser cache / offline content before visiting your site as a guest. I was going to have a peak at your site to confirm this, but I can't find your site details.
|
#5 Tue 17 Oct, 2006 18:46 |
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
Uhm... mine is not a sudoku problem
Is that so? I thought you said this in your your first post:
Vortex wrote: Yesterday, navigating the ACP I saw two users playing sudoku, which should have been disabled (I'm monitoring query usage, XS is not kinda... light ), as you can see from the code.
I thought I also said that even guest can try login to ACP and THAT is the problem, IMHO.
Sudoku was just an example of a hidden link, but actually I don't care too much about it... at least not as ACP
Quote:
What I am suggesting is a fireproof way to prevent users from accessing sodoku, and likewise the same principle can be applied to anything else you wish to prevent access to. Even if the user sees the option to access it, they cannot use it. Surely thats better: consider also that even if your site is fresh, with hidden options, a user can also access so called "hidden areas" if they have accessed other phpBBXS based sites (or use phpBBXS themselves), because they will know the relative links to access them.
I know, thanks for that I will try this trick for sure, but my problem now is that ACP is visible to guests too... and that's really not good
(and... users of my site don't even know the difference between left and right click... no worry about avoiding hidden links )
Quote:
As for the caching issue, I don't think the extreme styles caching system itself will cause that, but to confirm, you can check cache/tpl_ca_aphrodite.nav_quick_links.php - if you see your admin switch lines are in the code, then there is something else not right.
That's exactly what I tried to say... code is ok. Problem is somewhere else... I keep saying could be a caching problem (I'm talking about board's cache )
Quote:
Mentioning caching - are you using the same browser to test these things? How is the browser cache itself configured? Try clearing browser cache / offline content before visiting your site as a guest. I was going to have a peak at your site to confirm this, but I can't find your site details.
I hope you're jokin' me... OF COURSE I tried clearing the cache of my browser and of course I tried it as normal user and guest. I tried also with three more users. I know what I'm talkin' about
Now I manually removed that links till I find a solution so you will not see them... anyway: www.kope.it is the site.
Notice: Site is NOT VISIBLE WITH INTERNET EXPLORER. I applied Explorer Destroyer
|
#6 Tue 17 Oct, 2006 22:40 |
|
difus
Joined: August 2006
Posts: 763
Location:
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
if sudoku players bookmarks it then they can play
I don't read all, but my users can not see ACP
disable caches for quick navigation links block if enabled
you must do tests not at one machine or one IP
|
#7 Tue 17 Oct, 2006 23:35 |
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
if sudoku players bookmarks it then they can play
I don't read all, but my users can not see ACP
disable caches for quick navigation links block if enabled
you must do tests not at one machine or one IP
I answered ALL these four sentences. If you want, read ALL before answering, otherwise it's a waste of time for both of us
|
#8 Wed 18 Oct, 2006 00:14 |
|
difus
Joined: August 2006
Posts: 763
Location:
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
|
#9 Wed 18 Oct, 2006 00:48 |
|
difus
Joined: August 2006
Posts: 763
Location:
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
I don't see it
Last edited by difus on Wed 18 Oct, 2006 01:19; edited 1 time in total |
#10 Wed 18 Oct, 2006 00:58 |
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
You mean I have to reactivate the switch?
|
#11 Wed 18 Oct, 2006 00:58 |
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
Of course, it was disabled... just try now
|
#12 Wed 18 Oct, 2006 01:04 |
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
Here you are
|
#13 Wed 18 Oct, 2006 01:13 |
|
difus
Joined: August 2006
Posts: 763
Location:
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
it is too late
yes it is not working
somewhere is error I think
but switch is working for header and footer
can you attach quick links I'll test it
|
#14 Wed 18 Oct, 2006 01:23 |
|
Vortex
Joined: October 2006
Posts: 412
Location: Prato, Italy
|
Re: Quick Links (nav_quick_links.tpl) Doesn't Switch Admin
Yeah I gotta go to bed too
Thanks for help anyway, here's the file. Goodnight, see you tomorrow
(I added .gif extension otherwise couldn't attach it )
Description: |
|
Filesize: |
11.97 KB |
Viewed: |
8357 Time(s) |
|
|
#15 Wed 18 Oct, 2006 01:32 |
|
|
Page 1 of 3
|
Was this topic useful?
Was this topic useful?
Link this topic |
URL |
|
BBCode |
|
HTML |
|
You cannot post new topics You cannot reply to topics You cannot edit your posts You cannot delete your posts You cannot vote in polls You cannot attach files You can download files You cannot post calendar events
|
|
|
|