HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Roles and Permissions disaster

Using sso in WP and I am having a potentially disastrous problem with roles and permissions. I set a persons role and as soon as they refresh their page it reverts back to what it was before I changed it.

I googled and couldn't find anything. Has anyone else run into an issue like this before?

Comments

  • Sorry about the crappy quality of the video but here you can see it happen:

  • I cannot modify anyone's access

  • Is there some sort of lag time where if a poster refreshes too soon after an edit the changes get over written with the previous entry?

  • hmmmm changes are definitely not saving.

  • Any help at all guys? Currently I cannot assign moderators and manage permissions for different groups

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
  • hmmm that talks about a different version. This seems extreme to me and frankly I am nervous I am going to completely destroy my installation. There seems to be a bunch of talk about what peoplem might want to try to do without an actual agreed upon final solution. It talks about version 2.0.1.8 or somehting where I am on 2.3 so is that going to be a problem?

  • R_JR_J Ex-Fanboy Munich Admin

    Sounds really weird. I'm not sure if this is a database problem and not a jsconnect problem.

    I'm also not sure if you really see the database information when adding the role or if you see some AJAX result. So please check if the second role appears for that member in the GDN_UserRole table. Much more simple than looking into the database is to assign another role to another user and after saving it directly edit it again and see if the role still exists.
    Try this with another user and the admin user that you are using when doing the changes.

    Personally I would avoid using more than one role per user. If you look at the standard moderator role in Vanilla you see that it is all the same like moderator and moderator only has some rights more.
    That is nt as comfortable as adding some roles which only contain a few permissions but it is more safe (and maybe already the solution of your problem)

    If you like to find out if that is a jsConnect problem, youcould deactivate that plugin and retry adding the role.


  • Ok well I had deleted the role to limit issues. I re-added it this morning with a slightly different name and saw that it auto added itself to a bunch of users for some reason. Strange. Ok removed it from those users and added it to my test account as and removed the member role so it only has MemberPlus role.

    Here is visual proof of that.

    Then looking at the user administration and going into edit the user I see the roles still set correctly.

    Then I refresh the forums with that test user and the role reverts back:

    Running the queries from before (backwards) you can see the role exists but is no longer assigned to the user. It is now RoleId 8 which is standard member.

  • R_JR_J Ex-Fanboy Munich Admin

    Could you deactivate the jsConnect and retry?


  • Deactivate the plugin?

  • Deactivate the plugin, edited the user, reactivated the plugin and as soon as I did something as that test user the settings reversed again.

  • LincLinc Detroit Admin
    edited July 2017

    You're messing around in the database directly without understanding what you're doing.

    Deleting the last row in the GDN_Role table can (and likely in this case did) cause the next-added role to assume the same RoleID. Because I'm sure you neglected to remove the corresponding rows in GDN_UserRole, the association to users still existed, it wasn't magically created.

  • LincLinc Detroit Admin

    The WordPress addon demands that the roles correspond exactly by name between WordPress and Vanilla, including capitalization. The space may also be problematic. I suggest re-testing with a single-word role name with a carefully-matched name on both sides.

    R_JMikeOlson
  • Ok so I created the MemberPlus role. I will add it on Wordpress side and then do a new check.

  • AHA! I think I have it. I have to modify their role on the wordpress side and not on the vanilla side.

  • I work with extremely complex transact sql all day long creating enterprise level ETL solutions. I don't willy nilly touch things in databases. I've not done any sort of an update or delete statement on the DB. I didn't want to do anything in the DB because as J_R said it didn't make sense to go looking there. Unfortunately it seems that the problem was my remedial understanding of the js_connect plugin.

    Thankfully your posting above gave me the hint I needed to go make the correct change.

    R_J
Sign In or Register to comment.