Bug Permissions not being set when ajax.php is called.

Status
Not open for further replies.
C

CheeSie

New member
I've made it possible for my members to purchase the ability to customize their profiles through the shop. When the proper items have been bought it is in fact possible for them to change their css values, they get a response saying the changes were saved, but in fact they're not. So I checked where the settings are being saved and found this in vb/profilecustomization.php:

PHP: 
<?php
	/*** This loads the permission variables
	 *
	 *	@param	mixed	permissions array, optional
	 *
	 ***/

	public static function setPermissions($permissions = false)
	{
		if (!$permissions)
		{
			$permissions = vB::$vbulletin->userinfo['permissions']['usercsspermissions'];
		}
		//Initially we are commenting out "theme" permissions.
		if (!isset($vbulletin->bf_ugp_usercsspermissions['canusetheme']))
		{
				self::$permissions['canusetheme'] = false;
		}
		else
		{
			self::$permissions['canusetheme'] = $permissions & vB::$vbulletin->bf_ugp_usercsspermissions['canusetheme'];
		}


		self::$permissions['cancustomize'] = $permissions & vB::$vbulletin->bf_ugp_usercsspermissions['cancustomize'];
		self::$permissions['caneditfontfamily'] = $permissions & vB::$vbulletin->bf_ugp_usercsspermissions['caneditfontfamily'];
		self::$permissions['caneditfontsize'] = $permissions & vB::$vbulletin->bf_ugp_usercsspermissions['caneditfontsize'];
		self::$permissions['caneditbgimage'] = $permissions & vB::$vbulletin->bf_ugp_usercsspermissions['caneditbgimage'];
		self::$permissions['caneditcolors'] = $permissions & vB::$vbulletin->bf_ugp_usercsspermissions['caneditcolors'];
		self::$permissions['caneditborders'] = $permissions & vB::$vbulletin->bf_ugp_usercsspermissions['caneditborders'];
	}
?>

As you can see the user permissions are being sent to that function, but when I added a var_dump(self::$permissions) at the bottom of that function all the permissions were 0.

I'm guessing your cache_permissions aint being called when the ajax.php is being loaded..
... Just saw that in your cache_permissions.php hook file, you do not add the purchased permissions when ajax is enabled.. why is this?

Also I'm still having problems with the pm space. My users purchased a larger inbox, and they did get it.. It says they can have 2000 messages but the users still cant PM them unless they have the ignore PM quota permission!
 
Last edited:
I'll look into it, but unless the $permissions parameter is sent during said checks, it is not going to be possible to fix it.
 
it's not.. $permissions is false.. so it fetches them.. but in your cache_permissions.php you do not allow for ajax calls.. why is that?
 
That doesn't make sense. vBulletin uses a new method for caching User CSS permissions, they aren't using their own cache_permissions function.

AJAX calls are entirely irrelevant to this.
 
Nooo.. in ajax.php this is executed when the user requests to save the css:
Code: 
if ($_REQUEST['do'] == 'saveusertheme' )
{
	//class db_Assertor needs to be initialized.
	vB_dB_Assertor::init(vB::$vbulletin->db, vB::$vbulletin->userinfo);

	echo vB_ProfileCustomize::saveUserTheme($vbulletin->GPC['usertheme'], $vbulletin->userinfo);

}

As you can see they call the saveUserTheme function (i've made the important part stand out):
Code: 
/*** This function does a save from the profile page, responding to an ajax call
	 *
	 *	@param mixed	the theme info
	 *	@param mixed	the user object
	 *
	 *	@return	string	a success or failure notice
	 ***/

	public static function saveUserTheme($usertheme, $userinfo)
	{
		$vars = array(
			'font_family' => TYPE_STR,
			'fontsize' => TYPE_STR,
			'title_text_color' => TYPE_STR,
			'page_background_color' => TYPE_STR,
			'page_background_image' => TYPE_STR,
			'page_background_image' => TYPE_STR,
			'page_background_repeat' => TYPE_STR,
			'module_text_color' => TYPE_STR,
			'module_link_color' => TYPE_STR,
			'module_background_color' => TYPE_STR,
			'module_background_image' => TYPE_STR,
			'module_background_repeat' => TYPE_STR,
			'module_border' => TYPE_STR,
			'moduleinactive_text_color' => TYPE_STR,
			'moduleinactive_link_color' => TYPE_STR,
			'moduleinactive_background_color' => TYPE_STR,
			'moduleinactive_background_image' => TYPE_STR,
			'moduleinactive_background_repeat' => TYPE_STR,
			'moduleinactive_border' => TYPE_STR,
			'headers_text_color' => TYPE_STR,
			'headers_link_color' => TYPE_STR,
			'headers_background_color' => TYPE_STR,
			'headers_background_image' => TYPE_STR,
			'headers_background_repeat' => TYPE_STR,
			'headers_border' => TYPE_STR,
			'content_text_color' => TYPE_STR,
			'content_link_color' => TYPE_STR,
			'content_background_color' => TYPE_STR,
			'content_background_image' => TYPE_STR,
			'content_background_repeat' => TYPE_STR,
			'content_border' => TYPE_STR,
			'button_text_color' => TYPE_STR,
			'button_background_color' => TYPE_STR,
			'button_background_image' => TYPE_STR,
			'button_background_repeat' => TYPE_STR,
			'button_border' => TYPE_STR,
			'page_link_color' => TYPE_STR);

		//We only do this if we're logged in as a user.
		if (!intval($userinfo['userid']))
		{
			return 'profile_save_permission_failed_desc';
		}

		//We need the array to pass to the GPC cleaner
		$vars = array('themeid' => TYPE_UINT,
			'deletetheme' => TYPE_UINT,
			'saveasdefault' => TYPE_UINT);
		//Since we're here, we need to know which vars are controlled by which permission
		//might as well do that since we're scanning the array.

		$bg_vars = $color_vars = $border_vars = array();
		foreach(self::$themevars as $varname)
		{
			$vars[$varname] = TYPE_STR;
			if (strpos(varname, 'border') !== false)
			{
				$border_vars[] = $varname;
			}
			else if (strpos(varname, 'background') !== false)
			{
				$bg_vars[] = $varname;
			}
			else
			{
				$color_vars[] = $varname;
			}
		}

		[SIZE="7"]if (!self::$permissions)
		{
			self::setPermissions();
		}[/SIZE]

		vB::$vbulletin->input->clean_array_gpc('r', $vars);

		$userid = $userinfo['userid'];
		//see if the user is trying to save as default
		if (vB::$vbulletin->GPC_exists['saveasdefault'] AND (vB::$vbulletin->GPC['saveasdefault'] == 1))
		{
			require_once DIR . '/includes/adminfunctions.php';

			if (can_administer('cansetdefaultprofile'))
			{
				$userid = -1;
			}
		}


		$savedprofile = vB_dB_Assertor::getInstance()->assertQuery('customprofile',
			array('type' => 's', 'userid' => $userid));
		//We need to know whether we're updating or saving
		if ($savedprofile)
		{
			$current = $savedprofile->current();
		}

		//If the user has passed theme = 0 or theme = -1, that means they want the default.
		//So we delete their record if it exists.
		if (vB::$vbulletin->GPC_exists['deletetheme'] AND (intval(vB::$vbulletin->GPC['deletetheme']) )
			AND $current)
		{
			//We just clear the settings;
			$response =  vB_dB_Assertor::getInstance()->assertQuery('customprofile',
				array('type' => 'd', 'customprofileid' => $current['customprofileid']));
			return 'user_profile_reset_to_default';

		}

		//if we have a themeid and they have permissions, we skip all the individual
		// settings and just save the themeid.
		//if we got a themeid we handle that directly.
		if (vB::$vbulletin->GPC_exists['themeid'] AND intval(vB::$vbulletin->GPC['themeid'])
			AND self::$permissions['canusetheme'])
		{
			//let's trim all the non-theme settings. Otherwise we get strange effects later
			// if we currently have background settings and later someone edits their css
			$settings = array('themeid' => vB::$vbulletin->GPC['themeid']);
			foreach (self::$themevars as $themevar)
			{
				$settings[$themevar] = '';
			}
			if ($current)
			{
				$settings['type'] = 'u';
				$settings['customprofileid'] = $current['customprofileid'];
			}
			else
			{
				$settings['type'] = 'i';
				$settings['userid'] = $userinfo['userid'];
			}
			$response =  vB_dB_Assertor::getInstance()->assertQuery('customprofile', $settings);

		}
		else
		{
			//Now we confirm permissions. We unset every variable for which
			// they don't have permission.

			if ($userid != -1)
			{
				if (!self::$permissions['caneditfontfamily'] )
				{
					unset($vars['font_family']);
				}

				if (!self::$permissions['caneditfontsize'])
				{
					unset($vars['fontsize']);
				}

				if (!self::$permissions['caneditcolors'])
				{
					foreach($color_vars as $varname)
					{
						unset($vars[$varname]);
					}
				}

				if (!self::$permissions['caneditbgimage'])
				{
					foreach($bg_vars as $varname)
					{
						unset($vars[$varname]);
					}
				}

				if (!self::$permissions['caneditborders'])
				{
					foreach($border_vars as $varname)
					{
						unset($vars[$varname]);
					}
				}
			}

			//let's set the submitted variables
			foreach ($vars as $varname => $value)
			{
				if (vB::$vbulletin->GPC_exists[$varname])
				{
					if (vB::$vbulletin->GPC[$varname] == 'null')
					{
						if (strpos($varname, 'image'))
						{
							$vars[$varname] =	'none';
						}
						else if (strpos($varname, 'repeat'))
						{
							$vars[$varname] =	'no-repeat';
						}
						else
						{
							$vars[$varname] =	'inherit';
						}
					}
					else
					{
						if (strpos($varname, 'repeat'))
						{
							$vars[$varname] =	self::cleanRepeat(vB::$vbulletin->GPC[$varname]);
						}
						else
						{
							$vars[$varname] = vB::$vbulletin->GPC[$varname];
						}
					}
				}
				else
				{
					unset($vars[$varname]);
				}
			}

			$vars['themeid'] = 0;

			//If we are setting as site default, we're ready to save
			if ($userid == -1)
			{
				$savedprofile = vB_dB_Assertor::getInstance()->assertQuery('customprofile',
				array('type' => 's', 'userid' => -1));

				//We need to know whether we're updating or saving
				if ($savedprofile)
				{
					$current = $savedprofile->current();
				}
				$vars['userid'] = -1;

				if ($current)
				{
					$vars['customprofileid'] = $current['customprofileid'];
					$vars['type'] =  'u';
				}
				else
				{
					unset($vars['customprofileid']);
					$vars['type'] =  'i';
				}
			}
			else
			{
				//These are what were passed to the page via ajax load,
				// and they are probably wrong. Certainly untrustworthy
				unset($vars['userid']);
				unset($vars['customprofileid']);
				if ($current)
				{
					$vars['customprofileid'] = $current['customprofileid'];
					$vars['type'] =  'u';
				}
				else
				{
					$vars[userid] = $userinfo['userid'];
					$vars['type'] =  'i';
				}
			}
			$response =  vB_dB_Assertor::getInstance()->assertQuery('customprofile', $vars);
		}

		if ($response)
		{
			return 'user_profile_saved';
		}
		else
		{
			return 'update_failed';
		}


	}

And then we're back to the function I showed in the first post..

And as your cache_permissions.php does not allow for it to be run when ajax is set to true it wont cache the permissions..
See:
Code: 
if ($user['userid'] == $vbulletin->userinfo['userid'] AND isset($user['dbtech_vbshop_purchase']) AND [SIZE="7"]THIS_SCRIPT != 'ajax'[/SIZE] AND class_exists('VBSHOP'))

I'm guessing that's where it goes wrong..
But then again, you probably know a lot more about how vb is setup xD
 
Aha, now I see what you mean. I didn't know it saved them via AJAX, my bad :(

I don't remember why I excluded ajax.php from that function, but you can try removing that bit of the code and see if it produces any adverse affects :)
 
Aha! FOUND IT! :P

I do believe I still have to comment out that THIS_SCRIPT != 'ajax'... But what seems to be the biggest problem is this:

When having bought the proper permissions, the user can in fact design his layout and save the changes. Upon reloading of the profile the changes are gone! However if I go to the admin cp and set all the bought permissions to yes for the usergroup and then go to the profile, the customizations are applied.

So I'm not really sure where the problem is exactly, but it must be something with the permissions since it works when granting the permissions to the usergroup.
 
Hotfixed for Pro :)

Change the first line of cache_permissions.php to
PHP: 
if (/*$user['userid'] == $vbulletin->userinfo['userid'] AND THIS_SCRIPT != 'ajax' AND */isset($user['dbtech_vbshop_purchase']) AND class_exists('VBSHOP'))

The reason is that they re-cache permissions in the css.php file - which is what handles the custom CSS - and they don't create a new session so the user.userid = userinfo.userid check failed even if you were viewing your own profile :)
 
I'm gonna have to say it's bugging again.
A member of mine cant save the background images (they've purchased permissions to customize their profile and change the background images)... Any idea as to what might be up with this?
 
I'll try looking into it, but it's sadly not possible to guarantee that literally every permission works due to the reasons explained previously in this thread.
 
Status
Not open for further replies.

Similar threads

Darkwaltz4
  • Locked
AddOn vBCredits II Deluxe API
2
Replies
21
Views
14K
Mokonzi
Mokonzi

Legacy vBShop

vBulletin 3.8.x vBulletin 4.x.x
Seller
DragonByte Technologies
Release date
Last update
Total downloads
1,260
Customer rating
0.00 star(s) 0 ratings
Top