3.x: tiki-assignpermission.php fails when not filtered & default suhosin patch for apache in server
- Status
- Open
- Subject
- 3.x: tiki-assignpermission.php fails when not filtered & default suhosin patch for apache in server
- Version
- 3.x
- Category
- Usability
- Feature
- Permission
- Resolution status
- New
- Submitted by
- Xavier de Pedro
- Lastmod by
- Xavier de Pedro
- Rating
- Description
From irc channel, today.
Summary (full log below):tiki-assignpermission.php in tiki 3.x seems to send the whole bunch of permissions for a group in the POST variable to the server, even if you just assign 1 new perm. And the suhosin patch for apache seems to restrict the size of the POST, so that it gets truncated at some point, before reaching the new permission/s to be assigned
that was for group "admin", which includes (inherits) many many perms from the lower level groups
workaround: filter first for a section (wiki, in my case), so that the list of perms is reduced to a smaller number. Assign the perms related to plugins, and then it works with no problem
Moreover, there seemed to be a problem with mod security (with the standard rules coming to Debian based servers), which was causing error 403 with that tiki-assignpermission.php .... once the sys admin disabled modsecurity for our site, tiki-assignpermissions.php worked as expected with the workaround described aboveCopy to clipboardwtf*, there is something weird with tiki-assignpermission.php in tiki 3.3... ... I try to grant the 3 perms related to plugins to the group "Admins" (they have tiki_p_admin also already), and I get: You don't have permission to access /tiki-assignpermission.php on this server. (with a scary apache white page) I mean a 403 Forbidden page from apache to me that there is something wrong in the LTS for assigning permissions... [11:31] xavi aha, after conversation with sys admin in that server, I got the source of the problem, and workaround :-) tiki-assignpermission.php in tiki 3.x seems to send the whole bunch of permissions for a group in the POST variable to the server, even if you just assign 1 new perm. And the suhosin patch for apache seems to restrict the size of the POST, so that it gets truncated at some point, before reaching the new permission/s to be assigned [12:02] xavi that was for group "admin", which includes (inherits) many many perms from the lower level groups ok, workaround: filter first for a section (wiki, in my case), so that the list of perms is reduced to a smaller number. Assign the perms related to plugins, and then it works with no problem Moreover, there seemed to be a problem with mod security (with the standard rules coming to Debian based servers), which was causing error 403 with that tiki-assignpermission.php .... once the sys admin disabled modsecurity for our site, tiki-assignpermissions.php worked as expected with the workaround described above [12:02] marclaporte will you report the bug to suhosin? [12:09] xavi hi marclaporte, it might very well be not a bug, but a conflict between the size of the post that tiki sends, and the size of the variable allowed by default values by suhosin in apache, which (as far as I've been told) it's customizable.... [12:12] marclaporte ok [12:12] xavi so the chances that they will not consider it a bug are high (maybe similar for tiki, which wouldn't be considered a bug, but some "bad luck" of using such a long default list of perms) [12:13] marclaporte so nobody's "fault" but it's doesn't work [12:15] xavi btw, thanks for message introducing to the author of jquery spreadsheet... "it doesn't work": well, it does, if you filter the long list of perms for a section first or if you moun your sys admin to find out how to increase that default size in suhosin [12:15]- Solution
workaround: filter first for a section (wiki, in my case), so that the list of perms is reduced to a smaller number. Assign the perms related to plugins, and then it works with no problem
Moreover, there seemed to be a problem with mod security (with the standard rules coming to Debian based servers), which was causing error 403 with that tiki-assignpermission.php .... once the sys admin disabled modsecurity for our site, tiki-assignpermissions.php worked as expected with the workaround described above- Importance
- 5
- Priority
- 25
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Version: Create show2.tiki.org instanceAbout show2.tiki.orgTo help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is currently unavailableUnable to connect to show.tikiwiki.org. Please let us know of the problem so that we can do something about it. Thanks.
- Ticket ID
- 2933
- Created
- Wednesday 16 December, 2009 21:43:09 GMT-0000
by Xavier de Pedro - LastModif
- Wednesday 16 December, 2009 21:43:09 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Installation process of Tiki from git doesn't complete anymore and end with Fatal error
- Page description, when activated, is always used in browser title display mode
- Anonymous user can't switch perspectives - new permission needed.
- Better colors for the text color toolbar tool in Tiki
- line 1504 of wikiplugin_img.php appends px regardless of what width is
;){kind=link}
;){kind=link}