Recent Topics

246: another microscopically small bug

Started by on Feb 14, 2009 – Contents updated: Feb 14, 2009

Feb 14, 2009 17:32    

I totally know this is very tiny, but it is very reasonable for an average user to bump into it. So I share hoping that somehow it can be resolved. Work with me here as I try to keep it short...

Start with a brand new installation. Change the following conditions:
* enable registration
* disable validation of email (just to save you some time in a couple of minutes)
* Via the Users tab, change the "Basic Users" group as follows:
** give them a visible link to the admin area
** check the button for "add/upload" files
* Via the Blog Settings tab change a couple of things on blog #N
** enable 'advanced properties' to get Group Perms
** on Group perms make 'Basic Users' be "contributor".

Now log out of your admin account and register as a new user. You will be able to upload an image and insert it into a post, and "make posts" of an image.

Now log out of your 'basic user' account and log in as admin. On the Users tab access the settings for the "Basic Users" group and change "XHTML validation" on "Users -> group name" to "basic security settings". You are making it easier for your basic users to post - right?

Log out as admin and log in to your other account. You can still upload an image, but you can NOT insert it into a post. You get an error for having a class declaration, which happens to be the div class for the imageblock. You can still "make posts" of images, but you can't insert an image.

So the bug is that if you give a group with appropriate permissions to post an image AND give them 'less strict' XHTML validation requirements they lose the ability to insert images.

This is a reposting of the end result found in http://forums.b2evolution.net/viewtopic.php?p=87426 because I'm pretty sure it should be in the bugs section.

Feb 14, 2009 17:44

What happens if you tick "allow css tweaks" ?

¥

Feb 14, 2009 17:55

I'm pretty sure that lets users insert images with the "less XHTML" setting checked, but that's not cool. I mean, if I allow a group to use less stringent XHTML how am I to magically know I also need to, effectively, open up a security hole?

BTW my users are pretty much the IE type. Not aware of other browsers, not aware of the reasons to not post an email addy on a forum, not aware that copy/pasting any and all code from anywhere might not be good, not aware of how to surf smart. So while I doubt the users will do malicious stuff with intent, I'd hate to find out I set up a situation where they could accidentally make bad things happen.

And with open registration who knows who'll come along eh? I'm giving posting permissions upon registration is the thing. All you have to know is when asked "what color is grass" you respond with "who cares - fire it up!" ;)

Feb 14, 2009 18:04

Does that mean it worked? ... just askin' because it looks in the code like it should ... so that'd narrow down the "sheesh this bit was written by a moron [ lets hope like buggery that section's not written by me, or I'll look like a dick .... again :-S ]" section of code I need to laugh ( or cringe ... I'm an optimist ) at ;)

I'm impressed that any IE user can work out how the files tab operates :D

¥

Feb 14, 2009 18:08

I will set up the situation again and test. Currently I am only "fairly certain" because I seem to recall asking myself if for some reason I had to untick that box ... and unticking it. Give me some time though as I'm about to put to the test creating a custom hook and moving the work to the plugin instead of hacking the snot out of my skin.

PS: I tell them. With $this->msg I tell them to look up above for "Files" and click it. :)

They're all good folk. Just that I can't predict the level of comfort or skill with webbyness yah?

Feb 14, 2009 20:50

Tested and confirmed. Unchecking the "allow css stuff" box after radio buttoning "basic security checking" allows a group-4 level-1 user to upload images again.

* edited * User problem, meaning I forgot it doesn't resize if you don't do the "make posts" thing.

Feb 14, 2009 21:07

@ Yabba
re bash.org
Thanks for that. :)
Made my morning though there's coffee all over the place.

Feb 15, 2009 06:59

Made me spit coffee over my monitor when I read it :D

I'll have a meander through the code and see what I can find eddy :roll:

¥


Form is loading...

Advanced CMS – This forum is powered by b2evolution CMS, a complete engine for your website.