- Moderated by:
- Support Team
Permissions and accessing admin functions
-
- rank:
-
Freshman
- registered:
- July 2003
- Status:
- offline
- last visit:
- 20.07.07
- Posts:
- 13
I have a module developed by a 3rd party. I've created a group called "Editors" and have set the permissions for this module to:
Code
Editors Third_Party_Mod:: .* Admin
but when a member of the Editors group accesses the admin functions, the parameters passed to the admin function (extracted using pnVarCleanFromInput("foo")) come back either blank or with a format that is different than when this same function with same values are accessed by someone in the Admin group.
Any idea why this would be? I would have expected that anyone in the Editors group should be passing values exactly as an Admin user (I do recognize that Admin permission level is different from the Admin group, but I don't get why the parameters are being passed differently).
I have added all sorts of error_log() calls in and around this method. The Editor user is passing the security check, but the values in their parameters are somehow different.
Thanks,
mG.
-
- rank:
-
Freshman
- registered:
- July 2003
- Status:
- offline
- last visit:
- 20.07.07
- Posts:
- 13
Okay, so I've tracked the problem down to pnVarCleanFromInput(). FYI, I'm using 0.764.
When this function is run as a non-Admin, then a preg_replace is run on the variable:
Code
if (!pnSecAuthAction(0, '.*', '.*', ACCESS_ADMIN)) {
$ourvar = preg_replace($search, $replace, $ourvar);
}
gettype($ourvar) just before that code snippet is "array", and after is "string" (whose value is now "Array"). So I strongly suspect that preg_replace() on $ourvar when it is an array is breaking it.
Anyone care to comment? This function appears to be gone from pnAPI in head-rev (though comments still refer to it being called...so maybe it's been relocated??)
Thanks,
mG.
|
