11
redheadedrod
Re: Permissions problems with 2.5.6 RC 1

For compatibility reasons this should have been left to 2.6 and left out of 2.5.6 if it breaks modules...

Thought that the 2.5 branch was locked at 2.5.4 except for security issues. In other words things written to work in 2.5.4 should be working with 2.5.6.

Unless it is something that has made Xoops suddenly insecure then it should be changed back to 2.5.5 compatible code and left to 2.6..


12
irmtfan
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 2:39

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


@Peekay and redheadedrod

After reading this comment by Mamba, I installed xoops2.5.6 and at least news 1.68 and newbb 4.3 works without any issue.
I still didnt know what is the changes so i get a full diff from 255 and 256 and it seems that change is this one:
in XOOPS256/class/xoopsform/grouppermform.php

they add xoops_load('XoopsFormHiddenToken'); line

then i find this:
https://xoops.org/modules/newbb/viewtopic.php?post_id=352575#forumpost352575

Quote:

Some modules that use this file in their Permissions, will need to be modified to include the HiddenToken files. This has been changed in the RC to address some security issues.


But i still think there should be a way to make those modules work without any modification. maybe im wrong but i should do more investigation.

Edit:

now i find this:
Quote:

Some modules that use that file locally, don't have it, and they need to add it locally.


so it seems some developers copy /class/xoopsform/grouppermform.php from core to their modules and used it locally. (That is very bad coding style)

IMO there is a way to solve incompatibilities by adding xoops_load('XoopsFormHiddenToken'); to a reliable location like include/common.php but it may cause security issues for those modules.

Edit2:
Now im sure add that line to include/common.php will solve issue.
Also im nearly sure there is no security issue for those modules. but still need to be confirmed by experts.


13
Mamba
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 14:52

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


To address this issue:

1) as stated in Changelog, XOOPS 2.5.6 addresses some security issues. It was not something that Trabis would do, if there was no clear need for it, especially since we wanted to avoid any changes that were not related to PHP 5.4 (except adding new comments option)

2) These issues have been addressed in the Core, and should have no impact on standard modules

3) Unfortunately, some module copied and use the file grouppermform.php locally. If there were no custom changes to that file, then the advice from John will take care of it:

Quote:
I think I found an easy fix for the jobs module, go to admin/groupperms.php around line 33 and find this line:

include_once XOOPS_ROOT_PATH . "/modules/$mydirname/class/grouppermform.php";

replace it with this:

include_once XOOPS_ROOT_PATH . '/class/xoopsform/grouppermform.php';

Otherwise, in other modules, if there are custom changes to this file: /modules/jobs/class/grouppermform.php

in Line 28 add:

xoops_load('XoopsFormHiddenToken');

In line 86, after:
$this->addElement(new XoopsFormHidden('modid'$this->_modid));

add:

$this->addElement(new XoopsFormHiddenToken($permname));

And this should solve the issue.

4) This situation shows how important is testing of XOOPS Beta and RC releases, so those kind of issues are discovered and fixed before the Final release.

5) The goal is to fix all modules that have reported such issues and be available for the release of XOOPS 2.5.6

So please continue testing of XOOPS 2.5.6 RC1, and let us know if you find any issues, and we'll fix them.

14
Mamba
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 16:00

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


@ Peekay:
Quote:
Mamba, I confess I am a little disturbed by this comment. The user and group permissions features of Xoops is probably the one and only thing that sets it apart from other CMS solutions. It has worked flawlessly for years without any security issues that I am aware of. Tinkering with this and causing a failure (which has clearly happened) is not good to see. Why exactly have these changes been made and to what benefit?.

As I've mentioned in my previous post, it was an improvement to our security. The approaches how to hack systems are changing and improving, so even if this particular part of XOOPS worked fine over years, when we learn about a potential risk, we have to fix it. XOOPS has been always committed to protect our users, and to ensure that XOOPS is the most secure CMS it can be, with no compromises on security.

Quote:
That is very nice, but surely the path change alone will cause many other modules to fail?

No, only those modules that copied and use locally the grouppermform.php, which as Irmtfan said, is not necessarily a best programming practice. But to fix the issue it will take 10 seconds for the user by adding two lines of code.

Quote:
This dependence on 'official' module packs is damaging Xoops reputation as a development platform. This type of change should have been documented *before* this particular version of Xoops was released.

Hmm, why is it damaging? The whole idea about having an "official" module packs was to make sure that our users can be ensured that the most popular modules will be maintained and they don't have to worry about "orphaned" modules not being compatible with latest XOOPS versions.

The modules that we've tested after that change were working just fine. Only recently I've been made aware that some developers have decided to copy the grouppermform.php file locally. After learning that we've issued a statement and were working on proper instructions on how to fix it by the user.

I agree with you that if there are changes that we know will impact existing modules, we should provide instructions on how to fix it. Originally, based on our testing, we were not aware of any issues, as the change was internal to the Core. It became an issue with modules where developers took parts of the Core and copied it to their local modules, instead subclassing.

Now that we've learned about the situation, we are addressing it.

I am always interested in improving our processes, so what would you do differently here? Your feedback is very much appreciated!
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

15
chefry
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 16:21

  • chefry

  • Home away from home

  • Posts: 1005

  • Since: 2006/10/14


you had some errors in your coding

you have to do this

root/class/xoopsform/grouppermform.php

insert a new line after line 24 with xoops_load('XoopsFormHiddenToken');

modules/jobs/class/grouppermform.php

insert a new line after line 27 with xoops_load('XoopsFormHiddenToken');

start a new line after line 86 $this->addElement(new XoopsFormHidden('modid', $this->_modid));

insert $this->addElement(new XoopsFormHiddenToken($permname));

16
Mamba
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 18:03

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


Quote:
root/class/xoopsform/grouppermform.php

insert a new line after line 24 with xoops_load('XoopsFormHiddenToken');

???????

Chefry, what version of XOOPS 2.5.6 are you using?

this line has been in the Core already since March 1st.
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

17
jlm69
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 18:07

  • jlm69

  • Module Developer

  • Posts: 719

  • Since: 2002/7/19


That is strange. In 2.5.6 RC1 my line 24 of root/class/xoopsform/grouppermform.php is:

xoops_load('XoopsFormHiddenToken');

And after making the change below to jobs/admin/groupperms.php :

go to admin/groupperms.php around line 33 and find this line:

include_once XOOPS_ROOT_PATH . "/modules/$mydirname/class/grouppermform.php";

replace it with this:

include_once XOOPS_ROOT_PATH . '/class/xoopsform/grouppermform.php';


it Should work fine, should be no need to add anything to jobs/class/grouppermform.php,
in fact that file can be removed completely and probably should.

If line 24 is not xoops_load('XoopsFormHiddenToken'); maybe the file never got updated.

Thats the way I see it,

John


18
chefry
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 18:20

  • chefry

  • Home away from home

  • Posts: 1005

  • Since: 2006/10/14


XOOPS Version XOOPS 2.5.6-RC1

I just downloaded it last week from sourceforge. Tuesday I think

And I kept getting errors until I made that change to root/class/xoopsform/grouppermform.php

inside that file it says

* @version $Id: grouppermform.php 10981 2013-02-04 19:37:48Z trabis $

19
Mamba
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 18:31

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


@ Chefry:
Quote:
I just downloaded it last week from sourceforge. Tuesday I think

Something obviously went wrong here. Download it again, and compare the files, because you have the wrong files.

@ jml69
Quote:
And after making the change below to jobs/admin/groupperms.php :

go to admin/groupperms.php around line 33 and find this line:

include_once XOOPS_ROOT_PATH . "/modules/$mydirname/class/grouppermform.php";

replace it with this:

include_once XOOPS_ROOT_PATH . '/class/xoopsform/grouppermform.php';


it Should work fine, should be no need to add anything to jobs/class/grouppermform.php,
in fact that file can be removed completely and probably should.

You're absolutely right, since you file was not changed/customized.
Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

20
chefry
Re: Permissions problems with 2.5.6 RC 1
  • 2013/4/18 18:37

  • chefry

  • Home away from home

  • Posts: 1005

  • Since: 2006/10/14


the file name I have is xoops-2.5.6-RC0.7z

and I downloaded it on the 11th of April

from here

Login

Who's Online

253 user(s) are online (121 user(s) are browsing Support Forums)


Members: 0


Guests: 253


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits