Bug #585310 “SecretURL prompting for a password” : Bugs : Mahara

Revision history for this message

François Marier (fmarier) wrote on 2010-07-14:

#1

The password prompt might be coming from some AJAX request...

Changed in mahara:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → 1.3.0

Alan McNatty (alanmc) on 2010-07-19

Changed in mahara:
assignee:	nobody → Alan McNatty (alanmc)

Alan McNatty (alanmc) on 2010-07-19

Changed in mahara:
status:	Triaged → In Progress

Revision history for this message

Alan McNatty (alanmc) wrote on 2010-07-19:

#2

One to be reviewed with a wider audience.

Basically view/view.php allows access by checking viewid and taking into consideration user and mnet tokens (consider also get_view_from_token) as follows:

if (!can_view_view($viewid, null, $usertoken, $mnettoken)) {
throw new AccessDeniedException(get_string('accessdenied', 'error'));
}

However when we try and render the actual resume object (a ArtefactTypeResumeComposite which extends ArtefactTypeResume) we find it's own render_self is a little bit broken (it is the only type that checks access again for example). A simple fix is to remove this check and hence the exception is not raised but it suggests that the class may need general review.

diff --git a/htdocs/artefact/resume/lib.php b/htdocs/artefact/resume/lib.php
index ec07f41..89057c7 100644
--- a/htdocs/artefact/resume/lib.php
+++ b/htdocs/artefact/resume/lib.php
@@ -539,9 +539,10 @@ abstract class ArtefactTypeResumeComposite extends ArtefactTypeResume {
ORDER BY ar.displayorder';

         if (!empty($options['viewid'])) {
- if (!can_view_view($options['viewid'])) {
- throw new AccessDeniedException();
- }
+ //if (!can_view_view($options['viewid'])) {
+ //AJM Should be ... if (!can_view_view($options['viewid'], null, $options['usertoken'], $options['mnettoken'])) {
+ // throw new AccessDeniedException();
+ //}
             require_once('view.php');
             $v = new View($options['viewid']);
             $owner = $v->get('owner');

Note: it was useful to disable exception handling to find this bug.

diff --git a/htdocs/lib/errors.php b/htdocs/lib/errors.php
index c042804..91a9ab6 100644
--- a/htdocs/lib/errors.php
+++ b/htdocs/lib/errors.php
@@ -68,8 +68,7 @@ define('DEVMODE_UNPACKEDJS', 8);
// Tell PHP about our error settings
error_reporting(E_ALL);
set_error_handler('error');
-set_exception_handler('exception');
-
+//set_exception_handler('exception');

One to be reviewed with a wider audience.

Basically view/view.php allows access by checking viewid and taking into consideration user and mnet tokens (consider also get_view_from_token) as follows:

if (!can_view_view($viewid, null, $usertoken, $mnettoken)) {
    throw new AccessDeniedException(get_string('accessdenied', 'error'));
}

However when we try and render the actual resume object (a ArtefactTypeResumeComposite which extends ArtefactTypeResume) we find it's own render_self is a little bit broken (it is the only type that checks access again for example). A simple fix is to remove this check and hence the exception is not raised but it suggests that the class may need general review.

diff --git a/htdocs/artefact/resume/lib.php b/htdocs/artefact/resume/lib.php
index ec07f41..89057c7 100644
--- a/htdocs/artefact/resume/lib.php
+++ b/htdocs/artefact/resume/lib.php
@@ -539,9 +539,10 @@ abstract class ArtefactTypeResumeComposite extends ArtefactTypeResume {
             ORDER BY ar.displayorder';
 
         if (!empty($options['viewid'])) { 
-            if (!can_view_view($options['viewid'])) {
-                throw new AccessDeniedException();
-            }
+            //if (!can_view_view($options['viewid'])) {
+            //AJM Should be ... if (!can_view_view($options['viewid'], null, $options['usertoken'], $options['mnettoken'])) {
+            //   throw new AccessDeniedException();
+            //}
             require_once('view.php');
             $v = new View($options['viewid']);
             $owner = $v->get('owner');

Note: it was useful to disable exception handling to find this bug.

diff --git a/htdocs/lib/errors.php b/htdocs/lib/errors.php
index c042804..91a9ab6 100644
--- a/htdocs/lib/errors.php
+++ b/htdocs/lib/errors.php
@@ -68,8 +68,7 @@ define('DEVMODE_UNPACKEDJS', 8);
 // Tell PHP about our error settings
 error_reporting(E_ALL);
 set_error_handler('error');
-set_exception_handler('exception');
-
+//set_exception_handler('exception');

Revision history for this message

Alan McNatty (alanmc) wrote on 2010-07-20:

#3

Fix pushed to http://gitorious.org/mahara/alanmcs-mahara/commit/a5205c6bd0b1e2e9ec286fcb872aabfe63900de2

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2010-07-20:

#4

Looks good. I'm sure that the point of Nigel's patch (the render resume without javascript one) was to remove the use of composite.json.php except when editing your own resume; it's no longer used in views.

This means that in addition to the clean up you made above, we can remove the view parameter altogether (and anything that depends on it) from that file, and just assume the owner is always the logged in user ($USER), and also get rid of the define('PUBLIC',1) stuff.

Should be more secure, so I'll do that once I've pushed it. Hopefully I'm right about that and it won't break a bunch of stuff...

Richard Mansfield (richard-mansfield) on 2010-07-20

Changed in mahara:
status:	In Progress → Fix Committed

Richard Mansfield (richard-mansfield) on 2010-09-10

Changed in mahara:
status:	Fix Committed → Fix Released

Mahara

SecretURL prompting for a password

Bug Description

Other bug subscribers

Remote bug watches