Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

[GitHub Bug #1609] I removed a plugin from the dashboard and all my plugins disappeared !

135

Answers

  • peregrineperegrine MVP
    edited May 2013

    V,

    modules/class.settingsmodule.php:45:

    $IsRemovable = IsWritable(PATH_PLUGINS . DS . $PluginFolder);

    library/core/functions.general.php:1362: function IsWritable($Path) {

    You need to wrap you mind around the owner of the file. vs. the permissions that occur when viewing a webpage.

    if you have 7 as the first number and the ownership of the file or folder is the same as the id of the owner the is running the webpage process. then they have write permission and the setting the remove button shows up.

    if they don't match it won't show up unless the group permissions are writeable or the other is writeable.

    try a tutorial on on unix permissions and it will be clearer.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    From applications dashboard controllers settings controller

      /**
        * Remove an addon.
        *
        * @since 2.0.0
        * @access public
        * @param string $Type Application or plugin.
        * @param string $Name Unique ID of app or plugin.
        * @param string $TransientKey Security token.
        */
       public function RemoveAddon($Type, $Name, $TransientKey = '') {
          $RequiredPermission = 'Undefined';
          switch ($Type) {
             case SettingsModule::TYPE_APPLICATION:
                $Manager = Gdn::Factory('ApplicationManager');
                $Enabled = 'EnabledApplications';
                $Remove  = 'RemoveApplication';
                $RequiredPermission = 'Garden.Applications.Manage';
             break;
             case SettingsModule::TYPE_PLUGIN:
                $Manager = Gdn::Factory('PluginManager');
                $Enabled = 'EnabledPlugins';
                $Remove  = 'RemovePlugin';
                $RequiredPermission = 'Garden.Plugins.Manage';
             break;
          }
          
          $Session = Gdn::Session();
          if ($Session->ValidateTransientKey($TransientKey) && $Session->CheckPermission($RequiredPermission)) {
             try {
                if (array_key_exists($Name, $Manager->$Enabled()) === FALSE) {
                   $Manager->$Remove($Name);
                }
             } catch (Exception $e) {
                $this->Form->AddError(strip_tags($e->getMessage()));
             }
          }
          if ($this->Form->ErrorCount() == 0)
             Redirect('/settings/plugins');
       }
    
  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited May 2013

    @peregrine Yes I am trying to wrap my mind around it, I should have those permissions as I had them before the plugins got wiped, now they did something to this forum that I do not have the same permissions, I do not see the remove button in the dashboard of this install anymore.

    The others have it and work.

  • call your host to get what you want done.

    then read a unix tutorial on ownership and permissions. it will be clearer.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    if you have 7 as the first number and the ownership of the file or folder is the same as the id of the owner the is running the webpage process. then they have write permission and the setting the remove button shows up.

    yes I understand that , which is what is so strange, I did not touch any permissions .

    On my other domains under this main domain, they all have the remove buttons. I used to have them too on this one... but after they put the plugins from backup back in the permissions were changed somehow because the buttons do not show up anymore and noticed the problem deleting files.

    call your host to get what you want done.

    Yes I did, specially after paying them 80 bucks...they saved the plugins but screwed something in the process..

    then read a unix tutorial on ownership and permissions. it will be clearer.

    already on it. I was sure I had ownership and it was the same but it is possible that they own the plugins folder they put back in? since they fished it out of their back up ?

    I hope jesus can help, or whoever they(host) mean by higher authority.... :(

  • peregrineperegrine MVP
    edited May 2013

    call your host to get what you want done.

    I meant to correct it so you can manipulate the file somehow.

    this might help you wrap your head around ownership.

    http://serverfault.com/questions/357108/what-are-the-best-linux-permissions-to-use-for-my-website

    https://drupal.org/node/244924

    I don't know what your server OS is, I forgot. I only understand unix/linux. I don't fool around with windows or other OS's

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinder
  • hgtonighthgtonight ∞ · New Moderator

    @vrijvlinder The function IsRemovable checks to see if the php execution user has file write permissions for that plugin folder in the operating system.

    $this->Permission('Garden.Settings.Manage'); checks the currently logged in Vanilla user for Garden permissions.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Ok I understand that part, what I am saying is that if this is correct that In order to get the delete buttons one must have full ownership in all levels, then I did have it before the plugin folder was wiped by deleting one plugin, and when they replaced the folder with the plugins from their back up , I no longer have the same ownership on that domain, but I still have full ownership on the other subdomains stored in the same place in subdirectories , since I do get the delete button in the dashboard.

    I tested those and they work fine....I deleted a plugin from the dashboard on every instal and it was fine.

    Do I understand correctly?

    I had full permissions and now I don't ?

    That still does not explain how the folder got deleted without even a confirm pop up to be sure? It just deleted and refreshed. No confirm dialog.

  • peregrineperegrine MVP
    edited June 2013
    You still are not understanding the concept.
    
    read up on processes and lookup google "top unix command"  and unix process ids.
    
    
    
    You need to wrap your head around "owner" in when the webserver does its thing to run the php script or cgi or whatever the webserver is doing.  It is a process.  In simplest terms all processses run with an owner
    

    PROCESS OWNERSHIP or "USER"

    when someone clicks a web page on your server a process gets run
    
    PID        USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND         
    60008 www-data  20   0 55352  17m 4204 S 31.7  0.9   0:08.52 apache2
    
    in the column USER - "www-data"  is the owner of the process.
    
    therefore when i run a web page the owner is www-data
    

    FILE PERMISSIONS   
    - owner permissions for files and folders
    

    lets say you have a folder or file called "Testing"

    owner group filename permissions
    www-data blah Testing 777

    www-data has owner permissions  -  this is the first number   e.g.   7xx   6xx  4xx
    
    7 6 and 4  refer to permissions that are additive
    
    rwx  -  read write execute
    
    read = 4
    write = 2
    execute = 1
    
    if something has only read permissions it will have 4
    if something has write permissions it will have 2
    if something has read and write permissions, it has 6
    if something has read and execute but not write it has 5
    if something has read write execute it is 7
    

    www-data is also in a group  (in this example blah).
    

    owner group filename permissions
    www-data blah Testing 777

    x7x
    
    the process has permissions to affect the file (read write or execute) because the user www-data is in the blah group and the file is in group blah as well.
    
    ------
    
    
    so what all this means is if the process apache2  has an owner www-data  it can do what ever the file permissions allow on files owned by user id  www-data  
    
    the first number  in the xxx   <b>7</b>77
    
    so what all this means is if the process apache2  is in group  "blah"  it can do what ever the file permissions allow on files with group id "blah"
    
    the second number  in the xxx   7<b>7</b>7
    
    
    
    so if the plugins folder is owned by www-data and the apache process is running under user www-data   then the permissions based on the first number are what concern you.
    
    so if the plugins folder is owned by vrjvlinder and vrjvlinder is in group "blah"
    the group permissions apply (second number of triplet)
    
    
     the apache process is owned by www-data and www-data is in group blah.
    the first number is a moot point  the apache process can't affect the file based on first number (different process owner (www-data) and file owner  (vrjvlinder), it then needs to see if vrjvlinder and www-data owner (uids) are both part of the blah group
    
    so because both the process and file are both matched  (both part of blah group)
    
    we look at the second number in the triplet   x7x
    x7x is rwx  (the write bit is set)
    

    if it was x5x is r-x (the write bit is not set)

    if neither the owner or group match we look at the other group - this is anything
    
    so 
    
    xx7  mean  process can read write execute any  file or rename delete or add to a folder with xx7 permissions
    
     xx5  means  process can write to the file or delete it (because the write bit is on)
    
    if you have write privilieges (it is essentially means you can delete as well
    
    
    
    so in summary if the apache process is www-data uid
    
    and the 
    
    owner of folder www-data plugin/testplugin  is 700
    
    then the remove setting will show up because the file is writeable by the process owner
    (we dont care about the last two numbers of triplet because the first matches)
    
    if the "joe" is the owner of folder   plugin/testplugin  with permissions 700  they are different owners (joe and process owner www-data of apache)
    
    the remove will not show up if we were only looking at the first number 
    
    ---
    
    so we next
    

    look to match group permissions

    apache process is still www-data in the group blah
    

    owner group filename permissions
    www-data blah Testing 070 writeable because of group match
    vrjvlinder blam Testing2 070 not writeable because of group of process doesn't match group of file

    if x7x  and the group id of the folder is blah 
    it will show up as remove plugin
    
    
    go to top and read again
    repeat 20 times.
    
    its a tricky concept.
    

    so you need to know what the owner of the process that displays your web page
    and the id or the owner that owns the file


    this still doesn't explain what happened, but until you understand the concept of permissions and owner of both process and file you will always be at a bit of a loss.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinder
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @peregrine

    Yes I think I understand that, the link you gave explained it well. owner is a movable position depending on who is using the data at the time. Server needs to be owner when serving the files etc. The process is what gets ownership.

    I do understand p thanks for the more in depth explanation . And yes it does not explain what happened to the plugins after deleting one. I can appreciate the whole ownership deal better now.

    The end result is that they (host) changed something . After putting the folder back.

    This result is kind of explained in the link you posted. When you place a file that you are not owner of into the file system it resets the permissions of all the folders or something like that to the default 755 or 644 .

    It is alarming what they say about 777. The whole thing was a real nightmare to have happened to me. Not knowing why it happened is stressful ...

    I hope the host can figure out what they did and restore it like it was.
    My stress level hit max and I still have not come down :(

    I tried to find out about their system but all they say in the about fat cow, is they use debian , no mention about if it's linux or other. I think it is linux , who the hell would use windows? but I will find out when I talk to them tomorrow to find out what is happening.

  • I tried to find out about their system

    all you have to do is put phpinfo() in a php program on your hosts server and it gives you al the vital info - e.g. user group of apache process, os the server is runnning, all the php modules.

    debian is a flavor of linux.

    phpinfo() is your friend.

    http://kb.mediatemple.net/questions/764/How+can+I+create+a+phpinfo.php+page?#gs

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • hgtonighthgtonight ∞ · New Moderator

    You should also be able to figure out the user of php on your server with <?php pass_thru ("whoami"); ?>

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    peregrine
  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited June 2013

    cool here it is ! well I think I will pm this to you it contains way too much info

  • peregrineperegrine MVP
    edited June 2013

    @hgtonight said:
    You should also be able to figure out the user of php on your server with <?php pass_thru ("whoami"); ?>

    • if your host has this mod enabled.

      mod_auth_passthrough

    • or you could try this if your host allows system calls/

    <?php system("id");?>

    in filezilla you can see group and id ownership on your folders and files.

    if you right click on the horizontal bar that says filename you will see an option for which columns to print out. select owner/group.

    also if you create your own ubuntu server at home you could use gftp or any other unix transfer utility to see folder permissions, groups and owners on the remote system.

    I highly recommend creating your own ubuntu server at home on an old pc. you'll learn a whole lot and you seem to like to learn rather than getting "quick fixes" without learning.

    depending on the environment phpinfo will display user and group of process of who is the perceived user and group running the web-page. In your case it doesn't display user and group but it certainly shows system characteristics and mods to php.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    hgtonight
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Yea learning is like drugs to me lol give me more more more knowledge!!

    I hate "quick fixes" without learning. That would mean I would never be self-reliant , everything you learn should serve you at least once or twice afterwards if not for ever.

    I will try what you suggest, can't do the home server atm I am in Mexico and only have my mac with me this time. But when I get back home I will.

  • well did system or pass-thru give you any information.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Going to do try that now, I had to go to the store ....

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited June 2013

    @peregrine this is what I get with the <?php system("id");?>

    uid=1492896(moo.vrijvlinder) gid=15010(cgiuser) groups=15020,15010(cgiuser)

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited June 2013

    Something very odd here look at the permissions for the plugins, the only plugin with permissions is the one I just installed .

    they should all have 1492896 15010

  • this is why I disagree either touching the folders at all or attempting to set their permissions.

    do you use any javascript minfier?

    grep is your friend.

Sign In or Register to comment.