Loading...
 
Skip to main content

3.x: tiki-assignpermission.php fails when not filtered & default suhosin patch for apache in server

Status
Closed
Subject
3.x: tiki-assignpermission.php fails when not filtered & default suhosin patch for apache in server
Version
3.x
Category
  • Usability
Feature
Permission
Resolution status
Fixed or Solved
Submitted by
Xavier de Pedro
Lastmod by
Ushindi Gedeon
Rating
(0)
Description

From irc channel, today.
Summary (full log below):

tiki-assignpermission.php in tiki 3.x seems to send the whole bunch of permissions for a group in the POST variable to the server, even if you just assign 1 new perm. And the suhosin patch for apache seems to restrict the size of the POST, so that it gets truncated at some point, before reaching the new permission/s to be assigned

that was for group "admin", which includes (inherits) many many perms from the lower level groups

workaround: filter first for a section (wiki, in my case), so that the list of perms is reduced to a smaller number. Assign the perms related to plugins, and then it works with no problem
Moreover, there seemed to be a problem with mod security (with the standard rules coming to Debian based servers), which was causing error 403 with that tiki-assignpermission.php .... once the sys admin disabled modsecurity for our site, tiki-assignpermissions.php worked as expected with the workaround described above

Copy to clipboard
wtf*, there is something weird with tiki-assignpermission.php in tiki 3.3... ... I try to grant the 3 perms related to plugins to the group "Admins" (they have tiki_p_admin also already), and I get: You don't have permission to access /tiki-assignpermission.php on this server. (with a scary apache white page) I mean a 403 Forbidden page from apache to me that there is something wrong in the LTS for assigning permissions... [11:31] xavi aha, after conversation with sys admin in that server, I got the source of the problem, and workaround :-) tiki-assignpermission.php in tiki 3.x seems to send the whole bunch of permissions for a group in the POST variable to the server, even if you just assign 1 new perm. And the suhosin patch for apache seems to restrict the size of the POST, so that it gets truncated at some point, before reaching the new permission/s to be assigned [12:02] xavi that was for group "admin", which includes (inherits) many many perms from the lower level groups ok, workaround: filter first for a section (wiki, in my case), so that the list of perms is reduced to a smaller number. Assign the perms related to plugins, and then it works with no problem Moreover, there seemed to be a problem with mod security (with the standard rules coming to Debian based servers), which was causing error 403 with that tiki-assignpermission.php .... once the sys admin disabled modsecurity for our site, tiki-assignpermissions.php worked as expected with the workaround described above [12:02] marclaporte will you report the bug to suhosin? [12:09] xavi hi marclaporte, it might very well be not a bug, but a conflict between the size of the post that tiki sends, and the size of the variable allowed by default values by suhosin in apache, which (as far as I've been told) it's customizable.... [12:12] marclaporte ok [12:12] xavi so the chances that they will not consider it a bug are high (maybe similar for tiki, which wouldn't be considered a bug, but some "bad luck" of using such a long default list of perms) [12:13] marclaporte so nobody's "fault" but it's doesn't work [12:15] xavi btw, thanks for message introducing to the author of jquery spreadsheet... "it doesn't work": well, it does, if you filter the long list of perms for a section first or if you moun your sys admin to find out how to increase that default size in suhosin [12:15]
Solution

workaround: filter first for a section (wiki, in my case), so that the list of perms is reduced to a smaller number. Assign the perms related to plugins, and then it works with no problem
Moreover, there seemed to be a problem with mod security (with the standard rules coming to Debian based servers), which was causing error 403 with that tiki-assignpermission.php .... once the sys admin disabled modsecurity for our site, tiki-assignpermissions.php worked as expected with the workaround described above

Workaround
Importance
5
Priority
25
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
2933
Created
Wednesday 16 December, 2009 21:43:09 UTC
by Xavier de Pedro
LastModif
Monday 01 June, 2026 17:40:28 UTC


Show PHP error messages