[BlueOnyx:20907] Re: PHP error when trying to delete a user as site admin

Michael Stauber mstauber at blueonyx.it
Wed Apr 12 15:57:35 -05 2017 

Hi Andreas,

> To fix it I
> edited /usr/sausalito/ui/chorizo/ci/application/modules/base/user/controllers/userDel.php
> like so:
> 
> 
> --- /usr/sausalito/ui/chorizo/ci/application/modules/base/user/controllers/userDel.php.orig 2017-04-12 18:52:39.661150141 +0200
> +++ /usr/sausalito/ui/chorizo/ci/application/modules/base/user/controllers/userDel.php  2017-04-12 18:58:00.822899107 +0200
> @@ -29,6 +29,7 @@
>          $CI->serverScriptHelper = new ServerScriptHelper($CI->BX_SESSION['sessionId'], $CI->BX_SESSION['loginName']);
>          $CI->cceClient = $CI->serverScriptHelper->getCceClient();
> 
> +        $user = $CI->BX_SESSION['loginUser'];
>          $i18n = new I18n("base-user", $CI->BX_SESSION['loginUser']['localePreference']);
> 
>          // Initialize Capabilities so that we can poll the access rights as well:
> 
> 
> Deleting a user is working now, but I don't know if that's the
> "correct" way to fix this issue.

Thank you very much for the bug report *and* suggesting a fix. I really
appreciate it!

I just confirmed that the code indeed is faulty and then I checked SVN
to see when that bug got introduced. Here is the code change that
dropped the setting of the $user variable:

http://devel.blueonyx.it/trac/changeset/2723/BlueOnyx/5207R/ui/base-user.mod/ui/chorizo/web/controllers/userDel.php

In line 33 we previously used to set $user this way:

$user = $cceClient->getObject("User", array("name" => $loginName));

Your suggestion to replace it with ...

$user = $CI->BX_SESSION['loginUser'];

... is indeed a very acceptable solution and does the trick. I then
checked where we actually use the $user variable in this GUI page and
it's only in one place:

// One more security check: Is siteAdmin, not manageSite, not admin:
if (($Capabilities->getAllowed('siteAdmin'))
	&& (!$Capabilities->getAllowed('manageSite'))
	&& ($CI->BX_SESSION['loginName'] != "admin")) {
	// So we have a siteAdmin. Is he of the same group as the
	// user he wants to delete?
	if ($user['site'] != $group) {
		// Don't play games with us!
		// Nice people say goodbye, or CCEd waits forever:
		$CI->cceClient->bye();
		$CI->serverScriptHelper->destructor();
		Log403Error("/gui/Forbidden403#5");
	}
}

That's where we make sure that the user is siteAdmin and actually
belongs to this Vsite.

So instead of doing your suggested ...

$user = $CI->BX_SESSION['loginUser'];

... at the beginning of the GUI page we could as well drop using the
$user variable in this condition ...

if ($user['site'] != $group) {

... and change that condition to this instead:

if ($CI->BX_SESSION['loginUser']['site'] != $group) {

That's slightly cleaner code, but for all intends and purposes functions
in the same way as you suggested.

Andreas, many thanks again! I'll publish this as an update to the YUM
repositories within the next hour.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list