[2.0.21] prevent reply notifications to unauthorized users

All new MODs released in our MOD Database will be announced in here. All support for released MODs needs to take place in here. No new MODs will be accepted into the MOD Database for phpBB2
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.

Rating:

Excellent!
13
93%
Very Good
0
No votes
Good
0
No votes
Fair
0
No votes
Poor
1
7%
 
Total votes: 14

petes
Registered User
Posts: 72
Joined: Thu Feb 19, 2004 11:21 pm

Post by petes »

Hmph!

Ok, now it's my turn... I'll go back and try it all over again to see what the problem really is. I also have another test board with no mods, so I can isolaye it there.

I'll post back what I find.

Thanks.
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

Thanks, Pete. Just to be clear about what I tried: all I did was to take a test user and remove him from all groups. I then tried reply notification to that user and found that if the forum in question was open to all or to registered users the test user would get notified but if the forum in question was private the test user would only be notified if he had been granted user level access to that forum - just the way things are supposed to work.

What I did NOT try was to set up a board that has absolutely no groups on it.

So, could you try setting up a test user who is a member of no groups on one of your boards where this is working and see if that user gets notifications. If that works, then try again on the board that has no groups. I can't see from the code why it would matter whether there are or are not groups, but I guess you never know...
petes
Registered User
Posts: 72
Joined: Thu Feb 19, 2004 11:21 pm

Post by petes »

asinshesq wrote: ...try setting up a test user who is a member of no groups on one of your boards where this is working and see if that user gets notifications


Yes, that works. Everything works fine on the boards where it works. Email goes out where it should, and doesn't where is no longer should. (But I did a double check to test this.)

---
asinshesq wrote: ...try again on the board that has no groups. I can't see from the code why it would matter whether there are or are not groups, but I guess you never know...


On a test board with no mods and no groups, I set 2 users, no special rights for the test user (the other is Admin). I set them to watch a topic in a registered (not hidden) forum. On posting they both get notified.

Next I add the mod. Both users are Watching, both post, neither gets notified.

I create a group, give it mod rights to the forum (Admin is group mod), both post, both get notified. (The group has NO members, only the Admin as group mod. If the group doesn't have mod rights to anything, no notifies go out.)

I created a new registered (not hidden) forum, took away group mod rights to the first forum, then nothing works again. Next I added group mod rights to the new forum, but posted in the old first watched forum, both post, and both get notified.

In previous testing I tried adding members to a group that wasn't given rights to any forum and that didn't help... a group must be connected to some, any (but at least one) forum, but members DON'T have to be a part of the group (I reported this incorrectly before-saying they did have to be group members). My test user was never a part of the group on the test board, and the Admin was a group mod, but not a member.

---

I can see that it would not be a normal to install this mod on a board with no groups connected to forums, and without members. And a workaround would be to create a group and connect it to a forum to fix this. But I would think this should be found and fixed though, because sure enough, someone will have it running, then remove the group(s) to make the board open access... and notifying will fail.

I hope this helps.... your turn. :)
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

OK, I gather it screws up when the auth_access table has absolutely no entries in it, correct? So if there exists any user or any group that happens to have permission to a random forum (so that there is at least one entry in auth_access), things work for every other group and every other user and every other forum, correct?

Surprising. I don't understand why the mysql query fails when the auth_access table has no entries (since the code checks to see if there is a match in auth_access OR if the forum is open, and if either is true it should return an answer).

Anyway, this is easy for me to work around (I can do a separate sql query to find out if there are any entries in the auth_access table and if not, I could just check to see if the forum in question is open). But that's really inelegant (2 queries instead of one). I'm going to study this some more to see if I can figure out why it really does this..

Thanks again for your help.
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

Having studied this some more, I have concluded that I can either (a) add a separate test ti see if the auth_access table is empty and if it is, skip that part of the query, (b) change the entire query into one that using LEFT JOIN, which may be over my head or (c) simply stick a 0 entry in the auth_access table so that it is not empty. I opt for that final solution. Very simple and it should work fine. I'll resubmit a version for validation that has people insert a 0 entry into that table.
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

I spoke too soon. I decided I wanted to fix this properly without kludging. Here's the change that I came up with that seems to work fine (and I would be grateful if others would test this out without using my auth_access kludge and confirm that it works):

[edit: code omitted since it is now part of the current version]

And as discusseed before, none of these changes are actually needed unless you have absolutely no usergroups set up with special access to a forum.

[edit: I've been using this for a while now (and petes has been using it too) and it all seems to be working fine; I've submitted the change for validation and that process should take a few more weeks.]

[second edit (IMPORTANT): please make the change described in this post. I have discovered that the original query takes a very long time to execute and so it will lock up even a middle size board for a fair number of seconds...the new query in this post is much more efficient and should not give you any problems. FOr example, on my board with 140 users, the old query takes about 20 seconds to execute (that's 20 seconds each time a reply email goes out!) while the new query is basically instantaneous.]
Last edited by asinshesq on Wed Feb 16, 2005 10:40 pm, edited 6 times in total.
petes
Registered User
Posts: 72
Joined: Thu Feb 19, 2004 11:21 pm

Post by petes »

The new SQL code now allows notification when no groups rights are in use...

But it blocks Admins and Mods from getting notified (if the user's level in user table is 1 or 2, it fails) under certain conditions... Admin wasn't getting notified, but the test user was, UNTIL I made the user a mod for that forum. Having undone that then user got notified again. Admin also didn't get notified when set as group mod, even though group had no mod rights to any forum. Deleting group allowed Admin to get notified. Then re-adding group didn't stop notifies, UNTIL I made group that Admin was mod, a mod for a forum. Oddly, removing the group mod rights didn't cause notifies to be allowed, neither did removing the group (as it did fix it the first time).

It looks to me as though there are things being written to db tables that are not being removed, or some such. Such as when you make a user a forum mod, then remove them... they are no longer a mod for any forum, but are stilled green as such because it doesn't set their user_level back to 0 (it stays at 2 until manually fixed in db table).

I hope that helps... it may be that this is just too complex, taking into account all variables, and things that may be getting set, but not properly unset as well...

A better kludge than what you suggested for the auth_access table, may be for users with no current groups to simply set one dummy group up, with Admin as mod, give the group rights to a forum so it's in the auth_access table, and all should work. EXCEPT, it still has a problem notifying Admin (and I suspect mods as well). This is regarding the orignal realesed version and the one we are testing here.

Pete
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

Pete, try as I will, I cannot replicate the admin or mod failure that you report. Whether I have groups set up or not, and whether the test user is an admin or mod or a regular user with group access (or the forum is open), the emails go through when they are supposed to go through.

Could you perhaps give me a meticulous step by step of exactly what you did to 'achieve' failure. I do not doubt you, I'm just having trouble figuring out what you did that resulted in the thing not working right, since the damn thing insists on working with me..

Let's for now focus on a single instance of failure so that I can see what you are talking about rather than trying to canvas all possible issues.

So, do you want me to test with groups in existence or not? Should the forum in question be 'private' or open to all registered users or all users? Etc.

Thanks!
petes
Registered User
Posts: 72
Joined: Thu Feb 19, 2004 11:21 pm

Post by petes »

:oops:

I too couldn't reproduce it... then I got conflicting results...

It looks like I was causing it to fail by the way I was posting. After the first test post I would hit the back button twice and re-subit the same post again and again. This does work, but IF you get in a hurry and don't allow the refer screen to do its job the email isn't sent. (Makes sense if you think about it.) Then after that all retries fail, until you start fresh by clicking the postreply button.

Good job, looks like your fix is a success! Sorry for the false alarm.

Pete
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

petes wrote: :oops:

I too couldn't reproduce it... then I got conflicting results...

It looks like I was causing it to fail by the way I was posting. After the first test post I would hit the back button twice and re-subit the same post again and again. This does work, but IF you get in a hurry and don't allow the refer screen to do its job the email isn't sent. (Makes sense if you think about it.) Then after that all retries fail, until you start fresh by clicking the postreply button.

Good job, looks like your fix is a success! Sorry for the false alarm.

Pete


Thanks for the follow-up detective work.
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

By the way, I've just realized that the code for this mod before giving effect to the change I describe in my January 15th post above can take a pretty long time to run...so I would recommend people making the change I describe in that post (see http://www.phpbb.com/phpBB/viewtopic.ph ... 15#1397215 ).

To give you an idea of how important this is, note that on my board with 140 users the old query takes about 20 seconds to run (that's 20 seconds every time anyone posts and triggers a reply email notification!) while the new code is basically instantaneous. So to keep your board running fast, make this change!
wGEric
Former Team Member
Posts: 8805
Joined: Sun Oct 13, 2002 3:01 am
Location: Friday
Name: Eric Faerber
Contact:

Post by wGEric »

MOD Updated to version 1.0.5
See first post for Download Link
Eric
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

Thanks, Eric. And once again, I encourage everyone who is using the older version - even if it is working fine - to switch to this new version so as not to load down your board. (Each version of the mod is only a single FIND and REPLACE so it is really easy to upgrade from the old version!)
chatasos
Registered User
Posts: 748
Joined: Wed May 15, 2002 1:16 pm
Location: Paralia

Post by chatasos »

I have the latest version of phpbb (2.0.15). Do i still need this mod if i want to prevent unauthorized users from getting notifications emails or does phpbb already include the fix?
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

chatasos wrote: I have the latest version of phpbb (2.0.15). Do i still need this mod if i want to prevent unauthorized users from getting notifications emails or does phpbb already include the fix?


The new version of phpbb still has this problem, so if you don't want unauthorized people to receive emails and then not be able to see posts when they click the links in the emails, you should go ahead and install this mod.
Post Reply

Return to “[2.0.x] MOD Database Releases”