MantisBT - v3.0 Release
View Issue Details
0001249v3.0 Release[All Projects] Generalpublic2013-02-25 06:402013-08-28 11:17
Reportercarlosazevedo 
Assigned Tocaseydk 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version3.0.0 
Summary0001249: Administrators can't add users.
DescriptionWhenever I try to create a user, as an administrative user (including the default admin), I get the following error:

Access Denied

You have attempted to access an item in web2Project without the sufficient permissions to do so. Please contact the web2Project System Administrator.

Nevertheless the row with the users' info is created in the 'users' table.
TagsNo tags attached.
Attached Files

Notes
(0002796)
carlosazevedo   
2013-02-25 07:16   
(Last edited: 2013-02-25 08:13)
The Apache log shows the error:

[Mon Feb 25 16:14:00 2013] [error] [client 127.0.0.1] C:\\wamp\\www\\web2project3\\classes\\w2p\\Database\\Query.class.php(1137): query failed(INSERT INTO `user_preferences`(`pref_user`,`pref_name`,`pref_value`) VALUES ('50','TASKSEXPANDED','0')) - error was: <span style="color:red">Duplicate entry '50-TASKSEXPANDED' for key 'PRIMARY'</span>, referer: http://localhost/web2project3/index.php?m=admin&a=addedituser

This error is generated inside the hook_postStore method.

This is the backtrace displayed on screen:

ERROR: /home/ctrpt/public_html/web2project3/classes/w2p/Database/Query.class.php(1137) : query failed(INSERT INTO `user_preferences`(`pref_user`,`pref_name`,`pref_value`) VALUES ('50','TASKSEXPANDED','0')) - error was: Duplicate entry '50-TASKSEXPANDED' for key 'PRIMARY'
Backtrace:
0 /home/ctrpt/public_html/web2project3/classes/w2p/Database/Query.class.php:1137 dprint()
1 /home/ctrpt/public_html/web2project3/modules/admin/users.class.php:107 exec()
2 /home/ctrpt/public_html/web2project3/classes/w2p/Core/BaseObject.class.php:734 hook_postStore()
3 /home/ctrpt/public_html/web2project3/classes/w2p/Core/Dispatcher.class.php:93 publish()
4 /home/ctrpt/public_html/web2project3/classes/w2p/Core/BaseObject.class.php:349 publish()
5 /home/ctrpt/public_html/web2project3/modules/admin/users.class.php:81 store()
6 /home/ctrpt/public_html/web2project3/modules/admin/do_user_aed.php:67 store()
7 /home/ctrpt/public_html/web2project3/index.php:243 require()

(0002797)
carlosazevedo   
2013-02-26 01:18   
(Last edited: 2013-02-26 07:01)
Actualy, these are symptoms of two separate bugs; under circunstances I have yet to find out, the 'user_preferences' table ends up with rows for the TASKEXPANDED preference with the 'pref_user' column set to both null and to '0' (one of each). When the hook_postStore method loads the default preferences using a 'where' clause set to 0 (numeric) both rows are loaded and them their insertion is attempted and failed.
The other bug is that whenever the default user preferences are stored, a numeric 0 is stored into 'pref_user' but MySQL (or PHP) converts that into a null value. So the 'pref_user' column ends up empty instead of having a '0' in it.
By typecasting the $pref_user variable in the do_preference_aed.php file into a string that is avoided. The line should read:

$obj->pref_user = (string)$pref_user;

Also, setting and filtering varchar fields with numeric values is dangerous, as indicated in the MySQL bug report: http://bugs.mysql.com/bug.php?id=52155

(0002798)
carlosazevedo   
2013-02-26 06:33   
I've finally found the bug: If a user is created with the same email address as that of another one the 'canCreate' method of the 'CContact' class will return false while storing an error message in the class object.
This method is called inside the 'w2p_Core_BaseObject' class' 'store' method to check for insert permissions. Since the method returns a false the insert is not performed, what happens when storing the contact information for the new user.
Therefore no row is inserted into the 'contacts' table, therefore making the new user invisible (it does not appear on the user list because it must have a contact row to do so due to a join clause).
When the 'view' operation is executed after (half )creating the new user it bombs with a permission error because the new user id is not found on the user list and so the permission test for the 'view' op fails.
What should happen would be an error message being displayed when a already existant email is input in the email field of a new user.
(0002799)
carlosazevedo   
2013-02-26 07:00   
After looking some more at the code the problem is at the line:

$result = ('' == $result) ? true : $result;

in the 'store' method of the 'w2p_Core_BaseObject' class. If the $result variable contains a boolean false it will match the comparison with an empty string, thereby being reverted to a boolean true.
Since I can't see how the $result variable can change to an empty string this seems to be a 'left-over' bug. Removing the line solves the problem and the proper error message is displayed.
(0002801)
caseydk   
2013-02-26 21:10   
Resolved:
https://github.com/caseysoftware/web2project/commit/711894e97c2b6fa7c7f9d7143ec6cf3bb34840c8
https://github.com/caseysoftware/web2project/commit/1f0ed392f7d39adf5b9fbfebe3ede860a5b36fa1

Issue History
2013-02-25 06:40carlosazevedoNew Issue
2013-02-25 07:16carlosazevedoNote Added: 0002796
2013-02-25 07:30carlosazevedoNote Edited: 0002796
2013-02-25 08:13carlosazevedoNote Edited: 0002796
2013-02-26 01:18carlosazevedoNote Added: 0002797
2013-02-26 06:33carlosazevedoNote Added: 0002798
2013-02-26 06:34carlosazevedoNote Edited: 0002797
2013-02-26 07:00carlosazevedoNote Added: 0002799
2013-02-26 07:01carlosazevedoNote Edited: 0002797
2013-02-26 21:10caseydkNote Added: 0002801
2013-02-26 21:10caseydkStatusnew => resolved
2013-02-26 21:10caseydkResolutionopen => fixed
2013-02-26 21:10caseydkAssigned To => caseydk
2013-08-28 11:14caseydkFixed in Version => 3.0.0
2013-08-28 11:17caseydkStatusresolved => closed