phpdevshell team mailing list archive

[Smokey <smokey490@xxxxxxxxx>]

@Greg, I know... I'm not complaining about being able to acces all these
data, but one expects to rely on functions that deal with security...
And I have to say, while downloading your framework I didn't expect a
bug this big at this level.

For example, I'm going to use userActions to sync with an ldap that
ultimatly gives users some external permisions (like e-mail, ftp, etc..)
based on the roles and groups found here. It's just more easy this way
than writing another app (or even a plugin) that deals with users and
disable your menus... Plus, this way I can use the (current faulty)
functions to know exactly what the user can and can't access (whitout
searching the slow ldap everytime I need this info).

So, in my case, these methods need to work as expected or the whole
application has a major security flaw.

@TitanKing: I've attached a patch for the code.. I'm sorry I didn't put
this yesterday, but maybe it will help.... even if just for comparing
fixes

** Patch added: "bug1117723.patch"
   https://bugs.launchpad.net/phpdevshell/+bug/1117723/+attachment/3519515/+files/bug1117723.patch

-- 
You received this bug notification because you are a member of
PHPDevShell, which is subscribed to PHPDevShell.
https://bugs.launchpad.net/bugs/1117723

Title:
  USER_getGroupsQuery and USER_getRolesQuery give back very wrong
  results in some cases

Status in Open Source PHP RAD Framework with UI.:
  Confirmed

Bug description:
  Both methods are written without really taking into account that they
  might be called to get informations about another user, not the logged
  in one.

  PHPDS->USER_getRolesQuery() checks $this->user->mergeRoles and
  abandons further database checks if that field is not empty. It also
  writes informations to $this->user->mergeRoles, so the results of the
  first user checked by this query will be the only result given back by
  it in future calls. And I'm pretty sure $this->user->mergeRoles should
  return only current users roles.

  PHPDS->USER_getGroupsQuery() does exactly the same with $this->user->mergeGroups, and further more it gives back the main group more than once (this is because $group_string will contain the main group after checking it for childs. $group_main shouln't be merged with $group_string after this).
  Also, $group_array is an array resonse from a query. It should be extended with $group_array[] = array('user_group_id' => $group_main), not $group_array[$group_main] = array('user_group_id' => $group_main)

  To test this just run $this->userGetRoles($userid) or
  $this->userGetGroups($userid) for 2 different users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/phpdevshell/+bug/1117723/+subscriptions