Geeklog Forums

Hi,

Just did a plain install and noticed that the default Admin user cannot delete/add groups/users. I managed to register myself as another user and that worked ok. However the admin user could not change my permissions.

Looks like its a specific admin rights problem that I am missing.

Oh and when you delete or edit it looks like it worked. I mean there was no error it just redirected back to menu page.

Any Ideas?

Sounds like an issue with the CSRF protection. Are you using the Professional theme?

bye, Dirk

Yes just the standard professional theme.

I am using it on IIS with FastCGI if that makes a difference.

Hmm, missing referrer headers perhaps? Do you have any entries in your error.log referring to those failed operations?

bye, Dirk

Hi,

I found this in the access.log file

User Admin tried to illegally delete topic Geeklog and failed CSRF checks.

Regards
Jeremy

As suspected. Since you're using the Professional theme, I suspect that your browser is not sending referrers or you're using a proxy or firewall that filters them out. Check that and try to enable referrers.

bye, Dirk

Did an echo on the ($tokendata['urlfor'] != $_SERVER['HTTP_REFERER']

and the HTTP_REFERER included the query_string and thus did not match urlfor.

Did a little parsing of the REFERER to remove query string and it works now.

$ref = parse_url($_SERVER['HTTP_REFERER']);
$newReferer = $ref['scheme'] . "://" . $ref['host'] . $ref['path'];

However not sure if that is the correct solution

Jeremy

What browser are you using?

I think the referrer sent is controlled by the browser, rather than the web server.

Need to get this happening for me to debug and make sure the fix works, Firefox and IE7 both send the querystring on the referer. The system logs the query string.

Can you check gl_tokens and see if the token created has the query string on it? Maybe IIS + FastCGI isn't setting $_SERVER['QUERY_STRING']?

Mike