Anonymous Login
2019-04-18 13:54 PDT

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001249v3.0 Release[All Projects] Generalpublic2013-08-28 11:17
Reportercarlosazevedo 
Assigned Tocaseydk 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version3.0.0 
Summary0001249: Administrators can't add users.
DescriptionWhenever I try to create a user, as an administrative user (including the default admin), I get the following error:

Access Denied

You have attempted to access an item in web2Project without the sufficient permissions to do so. Please contact the web2Project System Administrator.

Nevertheless the row with the users' info is created in the 'users' table.
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0002796

carlosazevedo (reporter)

Last edited: 2013-02-25 08:13

The Apache log shows the error:

[Mon Feb 25 16:14:00 2013] [error] [client 127.0.0.1] C:\\wamp\\www\\web2project3\\classes\\w2p\\Database\\Query.class.php(1137): query failed(INSERT INTO `user_preferences`(`pref_user`,`pref_name`,`pref_value`) VALUES ('50','TASKSEXPANDED','0')) - error was: <span style="color:red">Duplicate entry '50-TASKSEXPANDED' for key 'PRIMARY'</span>, referer: http://localhost/web2project3/index.php?m=admin&a=addedituser

This error is generated inside the hook_postStore method.

This is the backtrace displayed on screen:

ERROR: /home/ctrpt/public_html/web2project3/classes/w2p/Database/Query.class.php(1137) : query failed(INSERT INTO `user_preferences`(`pref_user`,`pref_name`,`pref_value`) VALUES ('50','TASKSEXPANDED','0')) - error was: Duplicate entry '50-TASKSEXPANDED' for key 'PRIMARY'
Backtrace:
0 /home/ctrpt/public_html/web2project3/classes/w2p/Database/Query.class.php:1137 dprint()
1 /home/ctrpt/public_html/web2project3/modules/admin/users.class.php:107 exec()
2 /home/ctrpt/public_html/web2project3/classes/w2p/Core/BaseObject.class.php:734 hook_postStore()
3 /home/ctrpt/public_html/web2project3/classes/w2p/Core/Dispatcher.class.php:93 publish()
4 /home/ctrpt/public_html/web2project3/classes/w2p/Core/BaseObject.class.php:349 publish()
5 /home/ctrpt/public_html/web2project3/modules/admin/users.class.php:81 store()
6 /home/ctrpt/public_html/web2project3/modules/admin/do_user_aed.php:67 store()
7 /home/ctrpt/public_html/web2project3/index.php:243 require()

~0002797

carlosazevedo (reporter)

Last edited: 2013-02-26 07:01

Actualy, these are symptoms of two separate bugs; under circunstances I have yet to find out, the 'user_preferences' table ends up with rows for the TASKEXPANDED preference with the 'pref_user' column set to both null and to '0' (one of each). When the hook_postStore method loads the default preferences using a 'where' clause set to 0 (numeric) both rows are loaded and them their insertion is attempted and failed.
The other bug is that whenever the default user preferences are stored, a numeric 0 is stored into 'pref_user' but MySQL (or PHP) converts that into a null value. So the 'pref_user' column ends up empty instead of having a '0' in it.
By typecasting the $pref_user variable in the do_preference_aed.php file into a string that is avoided. The line should read:

$obj->pref_user = (string)$pref_user;

Also, setting and filtering varchar fields with numeric values is dangerous, as indicated in the MySQL bug report: http://bugs.mysql.com/bug.php?id=52155

~0002798

carlosazevedo (reporter)

I've finally found the bug: If a user is created with the same email address as that of another one the 'canCreate' method of the 'CContact' class will return false while storing an error message in the class object.
This method is called inside the 'w2p_Core_BaseObject' class' 'store' method to check for insert permissions. Since the method returns a false the insert is not performed, what happens when storing the contact information for the new user.
Therefore no row is inserted into the 'contacts' table, therefore making the new user invisible (it does not appear on the user list because it must have a contact row to do so due to a join clause).
When the 'view' operation is executed after (half )creating the new user it bombs with a permission error because the new user id is not found on the user list and so the permission test for the 'view' op fails.
What should happen would be an error message being displayed when a already existant email is input in the email field of a new user.

~0002799

carlosazevedo (reporter)

After looking some more at the code the problem is at the line:

$result = ('' == $result) ? true : $result;

in the 'store' method of the 'w2p_Core_BaseObject' class. If the $result variable contains a boolean false it will match the comparison with an empty string, thereby being reverted to a boolean true.
Since I can't see how the $result variable can change to an empty string this seems to be a 'left-over' bug. Removing the line solves the problem and the proper error message is displayed.

~0002801

caseydk (administrator)

Resolved:
https://github.com/caseysoftware/web2project/commit/711894e97c2b6fa7c7f9d7143ec6cf3bb34840c8
https://github.com/caseysoftware/web2project/commit/1f0ed392f7d39adf5b9fbfebe3ede860a5b36fa1
+Notes

-Issue History
Date Modified Username Field Change
2013-02-25 06:40 carlosazevedo New Issue
2013-02-25 07:16 carlosazevedo Note Added: 0002796
2013-02-25 07:30 carlosazevedo Note Edited: 0002796
2013-02-25 08:13 carlosazevedo Note Edited: 0002796
2013-02-26 01:18 carlosazevedo Note Added: 0002797
2013-02-26 06:33 carlosazevedo Note Added: 0002798
2013-02-26 06:34 carlosazevedo Note Edited: 0002797
2013-02-26 07:00 carlosazevedo Note Added: 0002799
2013-02-26 07:01 carlosazevedo Note Edited: 0002797
2013-02-26 21:10 caseydk Note Added: 0002801
2013-02-26 21:10 caseydk Status new => resolved
2013-02-26 21:10 caseydk Resolution open => fixed
2013-02-26 21:10 caseydk Assigned To => caseydk
2013-08-28 11:14 caseydk Fixed in Version => 3.0.0
2013-08-28 11:17 caseydk Status resolved => closed
+Issue History