HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

View Permissions not working.

This discussion is related to the Basic Pages addon.

Hello! I have the newest Basic Pages add-on and Vanilla Forums 2.1.9

I enabled View Permissions and saved it, but I can't find the permissions anywhere. They're showing up in the database, but not under role management. When I first save a page with view permissions on, I get an error: (Removed some aspects)

Fatal Error in PHP.trigger_error();

Unknown column 'policyView' in 'field list'
The error occurred on or near: /var/www/wurmly.com/vanilla/library/database/class.database.php
395: $this->closeConnection();
396: continue;
397: }
399: trigger_error($message, E_USER_ERROR);
400: }
402: }
[/var/www/wurmly.com/vanilla/library/database/class.database.php:399] PHP::trigger_error();
[/var/www/wurmly.com/vanilla/plugins/Debugger/class.databasedebug.php:101] Gdn_Database->Query();
[/var/www/wurmly.com/vanilla/library/database/class.sqldriver.php:1691] Gdn_DatabaseDebug->Query();
[/var/www/wurmly.com/vanilla/library/database/class.sqldriver.php:1654] Gdn_SQLDriver->Query();
[/var/www/wurmly.com/vanilla/library/database/class.sqldriver.php:1195] Gdn_SQLDriver->Put();
[/var/www/wurmly.com/vanilla/applications/dashboard/models/class.permissionmodel.php:76] Gdn_SQLDriver->Replace();
[/var/www/wurmly.com/vanilla/applications/basicpages/controllers/class.pagessettingscontroller.php:292] PermissionModel->Define();
[/var/www/wurmly.com/vanilla/applications/basicpages/controllers/class.pagessettingscontroller.php:356] PagesSettingsController->NewPage();
[/var/www/wurmly.com/vanilla/applications/basicpages/controllers/class.pagessettingscontroller.php:356] PagesSettingsController->EditPage();
[/var/www/wurmly.com/vanilla/library/core/class.dispatcher.php:356] PHP::call_user_func_array();
[/var/www/wurmly.com/vanilla/index.php:46] Gdn_Dispatcher->Dispatch();
select *
from GDN_User User
where UserID = '2'; 0.000000s
select *
from GDN_Rank Rank
order by Sort asc; 0.000000s
select b.BadgeID, b.Enabled, b.RuleClass, b.RuleCriteria, ba.UserID from GDN_Badge as b left join GDN_BadgeAward as ba ON b.BadgeID = ba.BadgeID and ba.UserID = '2' ; 0.000000s
select b.BadgeID, b.Enabled, b.RuleClass, b.RuleCriteria, ba.UserID from GDN_Badge as b left join GDN_BadgeAward as ba ON b.BadgeID = ba.BadgeID and ba.UserID = '2' ; 0.000000s
select Count(UserID)
from GDN_User User
where Banned = '1'
and BanExpire < '2015-04-16 03:21:21'; 0.000000s
update GDN_User User
set Banned = '',
BanExpire = ''
where Banned = '1'
and BanExpire < '2015-04-16 03:21:21'; 0.000000s
select p.*
from GDN_Page p
where p.PageID = '5'; 0.000000s
select p.PageID as PageID
from GDN_Page p
where p.UrlCode = 'moderator-policy'
and p.PageID <> '5'; 0.000000s
show columns from GDN_Page; 0.000000s
update GDN_Page Page
set Name = 'Moderator Policy',
UrlCode = 'moderator-policy',
Body = '[cut out for now :)]',
Format = 'Html',
DateUpdated = '2015-04-16 03:21:21',
SiteMenuLink = '1',
ViewPermission = '1',
UpdateUserID = '2',
UpdateIPAddress = ''
where PageID = '5'; 0.000000s
show tables like 'GDN_Permission'; 0.000000s
show columns from GDN_Permission; 0.000000s
show indexes from GDN_Permission; 0.000000s
alter table GDN_Permission
add BasicPages.moderator-policy.View tinyint not null default 0; 0.000000s
select *
from GDN_Permission Permission
where RoleID = '0'
and JunctionTable is null
and JunctionColumn is null; 0.000000s
Variables in local scope:
[Sql] 'update GDN_Permission Permission
set BasicPages.moderator-policy.View = :BasicPagesmoderator-policyView
where RoleID = :RoleID
and JunctionTable is null
and JunctionColumn is null'
[InputParameters] array (
':BasicPagesmoderator-policyView' => 2,
':RoleID' => 0,
[Options] array (
'Type' => 'update',
'Slave' => NULL,
'ReturnType' => NULL,
[ReturnType] NULL
[tries] 2
[try] 0
[PDO] array (
[PDOStatement] false
[ex] array (
[message] 'Unknown column \'policyView\' in \'field list\''
[code] 1054
[state] '42S22'
Need Help?
If you are a user of this website, you can report this message to a website administrator.
If you are an administrator of this website, you can get help at the Vanilla Community Forums.
Additional information for support personnel:
Application: Vanilla
Application Version: 2.2.100
PHP Version: 5.5.9-1ubuntu4.7
Operating System: Linux
Server Software: Apache/2.4.7 (Ubuntu)
Referer: http://forums.wurmly.com/pagessettings/editpage/5?
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Request Uri: /pagessettings/editpage/5?
Controller: PHP
Method: trigger_error


  • ShadowdareShadowdare Moderator
    edited April 2015

    Hello and thank you for trying Basic Pages!

    You've found a bug. The error occurs because PermissionModel fails at defining/saving a new permission with hyphens and probably other non-alphanumeric characters as well. @R_J originally contributed this feature to the application. @R_J, do you have any ideas on how to make this work?

    As a workaround, you can change the page's URL code from moderator-policy to something such as moderatorpolicy and it should let you save the page and have the custom view permission enabled for it.

    Add Pages to Vanilla with the Basic Pages app

  • R_JR_J Ex-Fanboy Munich Moderator

    That's going to be an interesting one! It's the prepared statement that's causing the problem:

    PDO Statement failed to prepare
    Unknown column 'oView' in 'field list'
    set `BasicPages.a-o.View` = :BasicPagesa-oView
    where RoleID = :RoleID
      and JunctionTable is null
      and JunctionColumn is null'
    [InputParameters] array (
      ':BasicPagesa-oView' => 2,
      ':RoleID' => 0,

    So you should assume that the framework takes care for sanitizing variable names so that they can be used as named parameters and in fact there is a function for that. But this function "Removes everything from the string except letters, numbers, dashes, and underscores". But the dash is not allowed! I go and make a pull request on GitHub.

    But sadly: no, I do not have a solution for now other than using no dashes in the url code :(

  • Jonathan WJonathan W Scranton, PA

    Couldn't this be handled within the app? We know what isn't allowed, so perhaps a check - If View Permissions is enabled, either warn or cleanse the url code automatically? I know it's a kludge, but it would solve the issue for app users going forward, until something better can be done to fix the issue right.

    Unless I'm understanding you wrong, @R_J - it sounds like the issue is that the sanitizing function within the core SQL driver doesn't sanitize the string to what is needed for the database engine?

  • R_JR_J Ex-Fanboy Munich Moderator

    I would wait for the next Vanilla version to handle such things correct and do not make those changes in a plugin. The error could come up whenever a plugin chooses to use a dash in a column name.

    Normally I preach not to change core files. But this time I would advice you choose the function like it is done here: https://github.com/vanilla/vanilla/pull/2682

  • ShadowdareShadowdare Moderator
    edited April 2015

    Nice catch, @R_J! The NamedParameter() method should remove hyphens and only allow alphanumeric characters and underscores to match PHP PDO's implementation.

    If we keep it so UrlCode's can have hyphens and other special characters, then code would have to be added to accommodate for permission names that could be different from the UrlCode if NamedParameter() is updated by (1) checking if a custom view permission exists and see if it belongs to another page or the current page by comparing view permission names to UrlCodes and show an error saying the user should rename the UrlCode or (2) adding a foreign ID field referring to the permission for the page.

    On the contrary, the UrlCode code in Basic Pages could be updated to only allow alphanumeric characters and underscores upon page saving since we can assume that people who have pages with these characters in the UrlCode aren't using the custom view permission feature to be consistent with the NamedParameter() sanitizing, and therefore more user friendly when the admin sees the permissions page and doesn't have to worry that the permission names could be slightly different than the UrlCodes.

    As an alternative, what if we used a different field as the unique identifier for the custom view permission for each page? For example, we can have BasicPages.PageID_1.View, but it would make it harder to tell which page this permission refers to.

    Add Pages to Vanilla with the Basic Pages app

  • R_JR_J Ex-Fanboy Munich Moderator

    But it's only the NamedParameter. You can use my-site as permission and also mysite without any problem because they are different permissions in the permission table. I think it should be accepted as a trade off that you either have to edit core or don't use a dash in the url code.

    The url code is unique, so it is the best thing to use as a permission name.

Sign In or Register to comment.