[F] [Admin CP] odd login behavior

[WDZ]

Let's say I request a page such as:

/admin/index.php?module=user/groups&action=add

and find that my admin session has expired so I need to log in again. After submitting the login form, MyBB complains that I didn't "enter a title for this new user group" even though I never tried to add a new user group. The problem is that the ACP modules might see the login POST request as a request intended for them.

[Martin M.]

I noticed that myself. It only checks if there is a POST request not what kind of POST request it is.

[Ryan Gordon]

Yeh, I noticed this to recently. Not exactly sure how we could fix it

Since logging in can't pass post request methods anyway I guess just making sure it's forced to get afterward would work

PHP Code:

$db->insert_query("adminsessions", $admin_session);
my_setcookie("adminsid", $sid);
$post_verify = false; 


Add after

PHP Code:

$mybb->request_method = "get"; 


Anybody have a better solution?

[Martin M.]

What about

PHP Code:

if($mybb->request_method == 'post' && $mybb->input['do'] != 'login') 


Although you would have to change it in all the modules.

[Ryan Gordon]

Yeh, That's what I'm trying to avoid

[Yumi]

Your solution sounds the most logical I think, Ryan.

[Chris Boulton]

Do a redirect back to the page instead of parsing/loading it internally?

[Ryan Gordon]

(08-19-2008 11:04 AM)Chris Boulton Wrote:  Do a redirect back to the page instead of parsing/loading it internally?

huh?

[WDZ]

(08-18-2008 03:31 PM)Ryan Gordon Wrote:  

PHP Code:

$mybb->request_method = "get"; 


That seems like kind of a hack, but I guess it's fine... /admin/index.php already does the same thing when your anti-CSRF token doesn't match up.

[Ryan Gordon]

Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.