protector package (was Controlling forum access by group)

paul greavy
Joined: 31 Mar 2005

protector package (was Controlling forum access by group)

Posted:06 Nov 2009 (16:01 UTC)
OK, It looks as if there is a small problem with the protector package. I set a board to be viewable only by members of the editors group. This now seems to block all access to the site. Worse still, if I'm not logged in I can't even log back in to change it. That's right, even the log in page is blocked.

As soon as I do remove the protection then site access is restored.

(Tip for anyone stuck like this - you can hide the package by prefixing the directory name with a '.' )

I guess I'll have to dig into the code a little to see what is going on.
paul greavy
Joined: 31 Mar 2005

Re: protector package (was Controlling forum access by group)

Posted:06 Nov 2009 (17:21 UTC)
Hmmm... digging into the code and looking at the underlying database hasn't helped.

Worse still the test site I tried it on doesn't exhibit the problem. That makes it difficult to debug as the problem site is remote and the network connection is not too good.

FWIW, the site displays the 'Permission denied' screen and all four links (login, register, home page and previous page) throw the same page up. So far it looks like a really neat way of locking the site down (:biggrin:)
paul greavy
Joined: 31 Mar 2005

Re: protector package (was Controlling forum access by group)

Posted:07 Nov 2009 (11:06 UTC)
OK, there is a bug somewhere
Here is a synopsis of the query sequence:

Q13 - UPDATE stats_pageviews
Q14 - SELECT tl.* FROM themes_layouts
Q15 - SELECT tl.* FROM themes_layouts
Q16 - SELECT FIRST 10 SKIP 0 e.*, ... FROM events e
Q17 - SELECT FIRST 1 COUNT( * ) FROM events e
Q18 - SELECT FIRST 10 SKIP 0 lcom.* ...
      FROM liberty_comments lcom ...
      WHERE lcom.parent_id=ptc.content_id
      AND (lcgm.content_id IS NULL OR lcgm.group_id IN( -1 )
      OR ugm.user_id= -1)
Q19 - SELECT FIRST 1 content_type_guid
      FROM liberty_content
      WHERE content_id=14
Q20 - SELECT lc.content_id, lcgm.group_id as is_protected
      FROM liberty_content lc
      LEFT JOIN liberty_content_group_map lcgm
        ON ( lc.content_id=lcgm.content_id )
      LEFT OUTER JOIN users_groups_map ugm
        ON ( ugm.user_id=-1 )
       AND ( ugm.group_id=lcgm.group_id )
      WHERE lc.content_id = 14


And at that point it becomes clear that content_id is protected so the error is thrown and the site locked down.

This even happens when trying to log in. I suspect that the reason why my test site works is because there is a lot more data stored and a protected content_id is not appearing in the SELECT FIRST 10.

It seems to be that the call to LibertyComment is redundant at this stage and in any case a fatal error should not be thrown at this point. Unfortunately, I haven't found a way of disabling the call to LibertyComment. It looks as if it is the constructor that is the culprit.
Lester Caine
Joined: 24 Apr 2004

Re: protector package (was Controlling forum access by group)

Posted:07 Nov 2009 (16:30 UTC)
Where did that go .... I'd posted a reply

Paul - I use protector on all my sites but I do have other packages turned off, so it's not tested with everything.
'enquirysolve.co.uk/wiki/index.php?page=Bassetlaw+District+Council+Site+Information' will show you what you should see, but I presume that you have already had that?
What packages do you have active? And more important is the deafult home page unprotected? So that 'site/bitweaver' actually displays a page. You need something visible to fall back to.
paul greavy
Joined: 31 Mar 2005

Re: protector package (was Controlling forum access by group)

Posted:09 Nov 2009 (09:02 UTC)
Hi Lester,

I haven't been able to track this down, other than it looks as if the problem _might_ be due to the fact that the site doesn't have much content and messages to the boards seem to be stored as comments. So the query that does the 'SELECT FIRST 10 from lcom.*" hits a test message to the protected board and the code that checks if a comment is protected then throws the error.

If I have time later today I'll try adding 10 dummy comments/messages/whatever and then add a comment to the protected board. That might fool the protector.

Paul
Lester Caine
Joined: 24 Apr 2004

Re: protector package (was Controlling forum access by group)

Posted:09 Nov 2009 (13:16 UTC)
It is possible that 'comments' are not being filtered properly. I mainly use fisheye galleries and content get filtered correctly to that but adding comments may not be setting the liberty_content_group_map entries for them. Although if there ARN'T values for the content_id then the query should default to 'OK' rather than block.
paul greavy
Joined: 31 Mar 2005

Re: protector package (was Controlling forum access by group)

Posted:10 Nov 2009 (06:08 UTC)
Thanks for the pointer.

I just started fresh with new admin board, protected it and then added a message. The admin board itself is in liberty_content_group_map but the message isn't.

I manually added the comments content_id and group_id to the liberty_content_group_map table and everything works.

So, now the question is - what code is needed to make sure that messages to protected boards get added to liberty_content_group_map?
paul greavy
Joined: 31 Mar 2005

Re: protector package (was Controlling forum access by group)

Posted:10 Nov 2009 (08:33 UTC)
I just turned the SQL debugging on to confirm - the call to LibertyProtector::storeProtection just gets completely missed when storing a new message to a protected board.

There is this test at the start of storeProtection:


<?php
if( @BitBase::verifyId$pParamHash['protector']['group_id'] ) )
?>


which fails because ['protector']['group_id'] has not been added to the pParamHash.

Unfortunately I don't know the code well enough to work out where to fix this.

Should I log this as a bug?
Lester Caine
Joined: 24 Apr 2004

Re: protector package (was Controlling forum access by group)

Posted:11 Nov 2009 (07:22 UTC)
Paul
I'll have a look at this later. THAT should come automatically from the services interface, so that the selection dropdown is added to the edit page, but this may be missing somewhere in the sequence. I've no actually USED boards yet, but I'll try and set one one here and check it out better.

Since you have a protected board, this value SHOULD be a copy of the one used by the board item. That is how it works with galleries and files in galleries.
Lester Caine
Joined: 24 Apr 2004

Re: protector package (was Controlling forum access by group)

Posted:11 Nov 2009 (16:35 UTC)
paul - I'm playing with 2.7 - with protector added rather than gatekeeper, but I've not found the problem you are seeing. I've created a visible board and one only visible to registered users, and while not logged in I just see the open one.

There is a problem which is due to the fact that the protection setting is NOT being applied to the comment records, so ALL are visible from recent posts and from view content. I need to get the posts to update
liberty_content_group_map based on the board setting to fully hide the content.

I have to presume now that we have a database specific problem since this is sort of working on Firebird. I suspect that simply fixing the underlying problem may sort it anyway if I can work out how to pass the protector setting onto the comment record.
  Page 1 of 2 »1 2 
Post
If you are already registered, please enter your login credentials.
Anonymous Post