Advertisement:

Author Topic: [4925] [2.0 RC3] membersAllowedTo doesn't deal with post count groups  (Read 4777 times)

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,047
    • Arantor on GitHub
Within Subs-Members.php there is a function for getting all the members that have a given permission, optionally within a specific board.

It gets the data from groupsAllowedTo(), which is simply a list of all the groups that would be allowed to have a specific permission (optionally in the specified board), then membersAllowedTo() looks up all the members that that fits.

Let's say for the sake of argument, we've called a permission that counts for groups 1, 2 and 4 - admins, global moderators and Newbie. It's slightly contrived but it explains the problem.

The query produced takes the form of WHERE mem.id_group IN (1,2,4) OR FIND_IN_SET(2, mem.additional_groups) != 0 OR FIND_IN_SET(4, mem.additional_groups) != 0 OR FIND_IN_SET(1, mem.additional_groups) != 0

I'm leaving out the matter of board moderators being included, but it doesn't actually affect the net result: you still get a query that never looks at mem.id_post_group, so even if groupsAllowedTo gives you a post count group, it will never match for this purpose, even if it's only given based on post count group.


I'm not sure if you'd classify this as a bug, exactly. But I'd argue it should at least be considered, in the places it's used, and figured out whether it should be altered.

* Arantor encountered this in looking over SMF's permissions for writing new for SimpleDesk.
« Last Edit: January 05, 2012, 09:06:19 AM by emanuele »
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Norv

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 18,313
  • Blue Wolf
Re: [2.0 RC3] membersAllowedTo doesn't deal with post count groups
« Reply #1 on: July 18, 2010, 06:44:36 AM »
I think I remember something of this kind being reported previously. Anyway I'd agree that post-count groups should be considered, it just isn't clear to me in what scenarios are we talking about, here.
Worth looking into, anyway, IMHO.
To-do lists are for deferral. The more things you write down the later they're done… until you have 100s of lists of things you don't do.
File a security report | Developers' Blog | Bug Tracker

Also known as Norv on D* | Norv N. on G+ | Norv on Github

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: [2.0 RC3] membersAllowedTo doesn't deal with post count groups
« Reply #2 on: January 05, 2012, 08:09:13 AM »
So, the interested function is membersAllowedTo that is used in:
* Reports.php to list global moderators and admin,
* Profile-Modify.php to find the members that have manage_membergroups permission to send a notification of the new request,
* SendTopic.php to "Get a list of members with the moderate_board permission." in ReportToModerator2 (send a report).

It's unlikely I think that a post based membergroup can have any of the permission checked by this function right now, but is also true that for future use it could be useful to have the post based membergroups in the query too.

Here the query is:
Code: [Select]
$request = $smcFunc['db_query']('', '
SELECT mem.id_member
FROM {db_prefix}members AS mem' . ($include_moderators || $exclude_moderators ? '
LEFT JOIN {db_prefix}moderators AS mods ON (mods.id_member = mem.id_member AND mods.id_board = {int:board_id})' : '') . '
WHERE (' . ($include_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_allowed}) OR FIND_IN_SET({raw:member_group_allowed_implode}, mem.additional_groups) != 0)' . (empty($member_groups['denied']) ? '' : '
AND NOT (' . ($exclude_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_denied}) OR FIND_IN_SET({raw:member_group_denied_implode}, mem.additional_groups) != 0)'),
array(
'member_groups_allowed' => $member_groups['allowed'],
'member_groups_denied' => $member_groups['denied'],
'board_id' => $board_id,
'member_group_allowed_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['allowed']),
'member_group_denied_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['denied']),
)
);

it should become (I think):
Code: [Select]
$request = $smcFunc['db_query']('', '
SELECT mem.id_member
FROM {db_prefix}members AS mem' . ($include_moderators || $exclude_moderators ? '
LEFT JOIN {db_prefix}moderators AS mods ON (mods.id_member = mem.id_member AND mods.id_board = {int:board_id})' : '') . '
WHERE (' . ($include_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_allowed}) OR FIND_IN_SET({raw:member_group_allowed_implode}, mem.additional_groups) != 0 OR mem.id_post_group IN ({array_int:member_groups_allowed}))' . (empty($member_groups['denied']) ? '' : '
AND NOT (' . ($exclude_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_denied}) OR FIND_IN_SET({raw:member_group_denied_implode}, mem.additional_groups) != 0 OR mem.id_post_group IN ({array_int:member_groups_denied}))'),
array(
'member_groups_allowed' => $member_groups['allowed'],
'member_groups_denied' => $member_groups['denied'],
'board_id' => $board_id,
'member_group_allowed_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['allowed']),
'member_group_denied_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['denied']),
)
);


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: [4925] [2.0 RC3] membersAllowedTo doesn't deal with post count groups
« Reply #3 on: October 14, 2012, 03:38:29 PM »
Oh well, I applied it. :P

commit 0f3cf7dfdcea7b374022e1a3b6df1ffd69a879be
Author: emanuele
Date:   Sun Oct 14 2012

    membersAllowedTo should now deal with post-based membergroups [Topic 380058] - Thanks Arantor for the report


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline GL700Wing

  • Jr. Member
  • **
  • Posts: 269
  • Gender: Female
I've noticed this is not in Subs-Members.php in SMF 2.0.14 - it is implemented some other way/no longer necessary?

Offline Illori

  • Project Manager
  • SMF Master
  • *
  • Posts: 48,072
please stop bumping old topics, as it stats in the message above yours the fix was committed.