Codoforum related discussions
Creating new topic : category/forum permission issue
minor bug permission create topic

If you define roles to manage permission on category/forum, you may have a minor bug when creating new topic : users can select all the categories/forums instead of only having categories where users can create topic.

The solution :

/sys/CODOF/Forum/Category.php
line number 51, change the function

   public function getCategoriesWhereUserCanCreateTopic() {

        $cats = array();
        $user = \CODOF\User\User::get();
        $qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img, granted'
                . ' FROM ' . PREFIX . 'codo_categories, codo_permissions '
                . ' WHERE permission=\'create new topic\' AND cid=cat_id AND rid=' . $user->rid . ''
                . ' AND EXISTS (SELECT 1 FROM codo_permissions AS p WHERE '
                . '  p.cid=cat_id AND p.rid=' . $user->rid . ' AND permission=\'create new topic\' AND granted=1) '
                . ' ORDER BY cat_order';

        $ans = $this->db->query($qry);

        if ($ans) {

            $cats = $ans->fetchAll(\PDO::FETCH_CLASS);
        }

        $cats = \CODOF\Hook::call('on_get_categories_for_create_topic', $cats);

        return $cats;
    }
If you define roles to manage permission on category/forum, you may have a minor bug when creating new topic : users can select all the categories/forums instead of only having categories where users can create topic. The solution : **/sys/CODOF/Forum/Category.php** line number 51, change the function ```` public function getCategoriesWhereUserCanCreateTopic() { $cats = array(); $user = \CODOF\User\User::get(); $qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img, granted' . ' FROM ' . PREFIX . 'codo_categories, codo_permissions ' . ' WHERE permission=\'create new topic\' AND cid=cat_id AND rid=' . $user->rid . '' . ' AND EXISTS (SELECT 1 FROM codo_permissions AS p WHERE ' . ' p.cid=cat_id AND p.rid=' . $user->rid . ' AND permission=\'create new topic\' AND granted=1) ' . ' ORDER BY cat_order'; $ans = $this->db->query($qry); if ($ans) { $cats = $ans->fetchAll(\PDO::FETCH_CLASS); } $cats = \CODOF\Hook::call('on_get_categories_for_create_topic', $cats); return $cats; } ````

Hi,

Thanks for pointing this bug and even providing a fix for it.

We feel the below will be a better change as a user may have more than one role:

    public function getCategoriesWhereUserCanCreateTopic() {

        $user = \CODOF\User\User::get();
        $rids = implode(",", $user->rids);

        $qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img'
                . ' FROM ' . PREFIX . 'codo_categories'
                . ' INNER JOIN ' . PREFIX . 'codo_permissions ON cid=cat_id '
                . ' WHERE permission=\'create new topic\''
                . ' AND granted=1 '
                . ' AND rid IN (' . $rids . ')'
                . ' ORDER BY cat_order';

        $ans = $this->db->query($qry);

        if ($ans) {

            $cats = $ans->fetchAll(\PDO::FETCH_CLASS);
        }

        $cats = \CODOF\Hook::call('on_get_categories_for_create_topic', $cats);

        return $cats;
    }
Hi, Thanks for pointing this bug and even providing a fix for it. We feel the below will be a better change as a user may have more than one role: ``` public function getCategoriesWhereUserCanCreateTopic() { $user = \CODOF\User\User::get(); $rids = implode(",", $user->rids); $qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img' . ' FROM ' . PREFIX . 'codo_categories' . ' INNER JOIN ' . PREFIX . 'codo_permissions ON cid=cat_id ' . ' WHERE permission=\'create new topic\'' . ' AND granted=1 ' . ' AND rid IN (' . $rids . ')' . ' ORDER BY cat_order'; $ans = $this->db->query($qry); if ($ans) { $cats = $ans->fetchAll(\PDO::FETCH_CLASS); } $cats = \CODOF\Hook::call('on_get_categories_for_create_topic', $cats); return $cats; } ```

Hello,

the same problem exists in the function get_categories. The permission "view category" is only handled for the primary role of the user.

The code 

$user = \CODOF\User\User::get();
$qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img, granted'
       . ' FROM ' . PREFIX . 'codo_categories, codo_permissions '
       . ' WHERE permission=\'create new topic\' AND cid=cat_id AND rid=' . $user->rid . ''
       . ' AND EXISTS (SELECT 1 FROM codo_permissions AS p WHERE '
       . '  p.cid=cat_id AND p.rid=' . $user->rid . ' AND permission=\'create new topic\' AND granted=1) '
       . ' ORDER BY cat_order';

must changed to

$user = \CODOF\User\User::get();
$rids = implode ( ",", $user->rids );
$qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img, granted, show_children'
       . ' FROM ' . PREFIX . 'codo_categories, codo_permissions '
       . ' WHERE permission=\'view all topics\' AND cid=cat_id AND rid IN(' . $rids . ')'
       . ' AND EXISTS (SELECT 1 FROM codo_permissions AS p WHERE '
       . '  p.cid=cat_id AND p.rid IN (' . $rids . ') AND permission=\'view category\' AND granted=1) '
       . ' ORDER BY cat_order';

Best regards

Sascha

Hello, the same problem exists in the function **get_categories**. The permission "view category" is only handled for the primary role of the user. The code ```` $user = \CODOF\User\User::get(); $qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img, granted' . ' FROM ' . PREFIX . 'codo_categories, codo_permissions ' . ' WHERE permission=\'create new topic\' AND cid=cat_id AND rid=' . $user->rid . '' . ' AND EXISTS (SELECT 1 FROM codo_permissions AS p WHERE ' . ' p.cid=cat_id AND p.rid=' . $user->rid . ' AND permission=\'create new topic\' AND granted=1) ' . ' ORDER BY cat_order'; ```` must changed to ```` $user = \CODOF\User\User::get(); $rids = implode ( ",", $user->rids ); $qry = 'SELECT cat_id, cat_pid, cat_name, cat_alias, no_topics, cat_img, granted, show_children' . ' FROM ' . PREFIX . 'codo_categories, codo_permissions ' . ' WHERE permission=\'view all topics\' AND cid=cat_id AND rid IN(' . $rids . ')' . ' AND EXISTS (SELECT 1 FROM codo_permissions AS p WHERE ' . ' p.cid=cat_id AND p.rid IN (' . $rids . ') AND permission=\'view category\' AND granted=1) ' . ' ORDER BY cat_order'; ```` Best regards Sascha
edited Mar 29 '17 at 3:07 pm

Thankyou for pointing that out, we will make any required changes

Thankyou for pointing that out, we will make any required changes
Necessity is the mother of all inventions!
194
3
4
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
© 2024 CODOLOGIC
Powered by Codoforum

Terms of Service | Privacy | About us
Pending draft ... Click to resume editing
Discard draft