1
rlankford
PDDownloads 1.2 Permissions Check Broken
  • 2007/1/31 18:52

  • rlankford

  • Not too shy to talk

  • Posts: 158

  • Since: 2004/8/27


I've recently upgraded from version 1 to version 1.2. I have a section of files that I restrict to a particular XOOPS group of users (let's call it 'specialGroup'). This functionality no longer works with this module. I believe the problem to be new and it isn't a matter of syntax. Rather, it seems to be a logical problem with out the code is set up.

Please look at the following code in singlefile.php:

$result $xoopsDB->query("SELECT a.*, b.* FROM " $xoopsDB->prefix("PDdownloads{$mydirnumber}_downloads") . " a, ".$xoopsDB->prefix('group_permission')." b WHERE (a.lid = $lid AND b.gperm_itemid = $lid) AND a.offline = 0 AND (a.published > 0 AND a.published <= $time_cur) AND (a.expired = 0 OR a.expired > $time_cur) AND b.gperm_modid = $module_id AND b.gperm_name = "PDDownFilePerm{$mydirnumber}" AND b.gperm_groupid = $groups[0]");


The last constraint on the query makes mention of $groups[0]. $groups is an array that simply contains a list of all the groups that the currently logged on user is a part of. The query is now hard-coded to only search on the first group that the user is a part of. This doesn't work! All users are a part of 'registered users' in Xoops. This group is always higher in the array than the 'specialGroup' group. Because of this, it's impossible or anyone to see my download record because singlefile.php doesn't recognize as anyone from 'registered users' as having access to the document!

You can fix this particular page easily enough by removing the last constraint from the query shown above. This, however, doesn't fix the code in viewcat.php. The same problems apply, but they manifest themselves differently since the code there is much more complex.

I can't be the first person to have run across this! It there a fix available (or being worked on) for this problem in how permissions are checked? I haven't spent much time on this myself yet, but it looks to me as if the programmers of this module have neglected to fully appreciate the task of checking permissions for each of these records.

Please don't consider this post a flame. I very much appreciate this module and look forward to any responses. Thanks in advance for any help as it's much appreciated.

Note: I'll be cross posting this over on the PDDownloads forum too.

Login

Who's Online

273 user(s) are online (198 user(s) are browsing Support Forums)


Members: 0


Guests: 273


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits