[BUG - 1.1 RC2] ManageBoards Permission

[Harzem]

Hi,

We've detected a harmless problem in the admin panel of 1.1 RC2. This is just like a typo. No security threats.

As a regular user, we can't administrate a forum. So we get an error if we type ?action=admin
This is also true for other administrative actions, like action=managecalendar, action=viewmembers, or action=manageattachments. They all throw an error.

But there is a problem in action=manageboards.

First, it asks for admin session password, even if you are not an admin. After entering the password, it creates a small part of the menu at the left. Then it throws the error.

This is because of a missing line in manageboards.php

This is from managecalendar.php:

function ManageCalendar()
{
   global $context, $txt, $scripturl, $modSettings;

   isAllowedTo('admin_forum');

   // Administrative side bar, here we come!
   adminIndex('manage_calendar');

This is from manageattachments.php:

function ManageAttachments()
{
   global $txt, $db_prefix, $modSettings, $scripturl, $context, $options;

   // You have to be able to moderate the forum to do this.
   isAllowedTo('manage_attachments');

   // Show the administration bar, etc.
   adminIndex('manage_attachments');

These two files are not problematic. But in manageboards.php:

function ManageBoards()
{
   global $context, $txt, $scripturl;

   // Administrative side bar, here we come!
   adminIndex('manage_boards');

there is no permission check. This creates the error I've stated above.

It looks harmless for now, but it may create some other errors.

[Ŝм₣ ₣ãŇ]

thanks harzem you are king 

[Thantos]

First, it asks for admin session password, even if you are not an admin

All admin functions require you to enter your password as a security measure.

You need to look a little bit further down in your code:

Code Select Expand


// Format: 'sub-action' => array('function', 'permission')
$subActions = array(
'board' => array('EditBoard', 'manage_boards'),
'board2' => array('EditBoard2', 'manage_boards'),
'cat' => array('EditCategory', 'manage_boards'),
'cat2' => array('EditCategory2', 'manage_boards'),
'main' => array('ManageBoardsMain', 'manage_boards'),
'move' => array('ManageBoardsMain', 'manage_boards'),
'newcat' => array('EditCategory', 'manage_boards'),
'newboard' => array('EditBoard', 'manage_boards'),
'settings' => array('EditBoardSettings', 'admin_forum'),
);

// Default to sub action 'main' or 'settings' depending on permissions.
$_REQUEST['sa'] = isset($_REQUEST['sa']) && isset($subActions[$_REQUEST['sa']]) ? $_REQUEST['sa'] : (allowedTo('manage_boards') ? 'main' : 'settings');

// Have you got the proper permissions?
isAllowedTo($subActions[$_REQUEST['sa']][1]);

If an error occures due to not having the permission it shouldn't even render the admin index.

[Harzem]

It renders two menu items. To see it better, you can try this:

Login to http://www.harzem.com/forum/index.php?language=english
with user: Thantos , pass: test

Then click here:
http://www.harzem.com/forum/index.php?action=managecalendar
You will get the error with no admin password request. That is expected behaviour.

Then click here:
http://www.harzem.com/forum/index.php?action=manageboards

It will request the password first, then render two menu items, then give the error.

[Thantos]

Ok the reason it was rendering the side bar first is that adminIndex() adds the admin layer.  Its also what validates your session (which requires the admin login).

For consistency sake I'm gonna move the adminIndex call to after the permission check.
There really wasn't any bug, we just weren't keeping this consistant.

[Harzem]

We just need a line above the adminIndex. This is what I suggested in Turkish boards:

Find:

Code Select Expand

// Administrative side bar, here we come!
adminIndex('manage_boards');

Add this before it:

Code Select Expand

isAllowedTo('manage_boards');


This is fully consistent with other Sources files. But anyway, you are the DEV

offtopic:
Why can't we set our birth year as 0004 ?