Posted on: 09/16/08 12:40am
By: Anonymous (Jeremy)
Hi,
Just did a plain install and noticed that the default Admin user cannot delete/add groups/users. I managed to register myself as another user and that worked ok. However the admin user could not change my permissions.
Looks like its a specific admin rights problem that I am missing.
Oh and when you delete or edit it looks like it worked. I mean there was no error it just redirected back to menu page.
Any Ideas?
Re: root Admin cant delete or add?
Posted on: 09/16/08 01:52am
By: Dirk
Sounds like an issue with the CSRF protection. Are you using the Professional theme?
bye, Dirk
Re: root Admin cant delete or add?
Posted on: 09/16/08 05:11am
By: Anonymous (Jeremy)
Yes just the standard professional theme.
I am using it on IIS with FastCGI if that makes a difference.
Re: root Admin cant delete or add?
Posted on: 09/16/08 05:18am
By: Dirk
Hmm, missing referrer headers perhaps? Do you have any entries in your error.log referring to those failed operations?
bye, Dirk
Re: root Admin cant delete or add?
Posted on: 09/16/08 10:55pm
By: Anonymous (Jeremy)
Hi,
I found this in the access.log file
User Admin tried to illegally delete topic Geeklog and failed CSRF checks.
Regards
Jeremy
Re: root Admin cant delete or add?
Posted on: 09/17/08 05:08am
By: Dirk
Quote by: JeremyUser Admin tried to illegally delete topic Geeklog and failed CSRF checks.
As suspected. Since you're using the Professional theme, I suspect that your browser is not sending referrers or you're using a proxy or firewall that filters them out. Check that and try to enable referrers.
bye, Dirk
Re: root Admin cant delete or add?
Posted on: 09/18/08 02:12am
By: Anonymous (Jeremy)
Did an echo on the ($tokendata['urlfor'] != $_SERVER['HTTP_REFERER']
and the HTTP_REFERER included the query_string and thus did not match urlfor.
Did a little parsing of the REFERER to remove query string and it works now.
$ref = parse_url($_SERVER['HTTP_REFERER']);
$newReferer = $ref['scheme'] . "://" . $ref['host'] . $ref['path'];
However not sure if that is the correct solution
Jeremy
Re: root Admin cant delete or add?
Posted on: 09/18/08 02:42pm
By: THEMike
What browser are you using?
I think the referrer sent is controlled by the browser, rather than the web server.
Need to get this happening for me to debug and make sure the fix works, Firefox and IE7 both send the querystring on the referer. The system logs the query string.
Can you check gl_tokens and see if the token created has the query string on it? Maybe IIS + FastCGI isn't setting $_SERVER['QUERY_STRING']?
Mike