[F] Logged In ACP Users [R] [C-Michael83]

[Scoutie44]

I'm not 100% sure if this is a bug, but it can be confusing at times. Say for example, a regular user tries to log into the AdminCP without the admin permissions. The user will not be logged in, however they will show as an 'Online Admin' on the dashboard.

Steps to reproduce:

1) Create user account without admin CP access.
2) Navigate to AdminCP directory and attempt to log in.
3) Log into ACP as administrator with Admin CP access.
4) Look at the 'Online Admins' area.

[DAMINK]

Yep i just tested it and have the same problem.
Must be a bug. Although i dont see any problems with it other than just being annoying.

[dvb]

In the /admin/index.php file, find around line 97:

PHP Code:

    $user = validate_password_from_username($mybb->input['username'], $mybb->input['password']);
    if($user['uid'])
    {
        $query = $db->simple_select("users", "*", "uid='".$user['uid']."'");
        $mybb->user = $db->fetch_array($query);
    }

    if($mybb->user['uid']) 


The line:

PHP Code:

    if($mybb->user['uid']) 


should be:

PHP Code:

    if($mybb->user['uid'] && $mybb->usergroup['cancp'] == 1) 


Please check and update us

[Scoutie44]

Doesn't appear to work, I get this error:

Code:

SQL Error:
    1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') ORDER BY username' at line 1
Query:
    SELECT uid, username FROM MyBB_users WHERE uid IN() ORDER BY username

[dvb]

EDITED:
Scoutie44, you're right, I'm sorry I'll recheck this.

Thank you for your help!

[Scoutie44]

All I did was change that line.

[Ryan Gordon]

(03-08-2009 07:39 PM)dvb Wrote:  But I hadn't told you to change anything related to mysql query, you have probably changed something incorrectly, or misused the ACP.

The problematic query being execute in 'admin/modules/home/module_meta.php'
Line 106 :

PHP Code:

            $query = $db->simple_select("users", "uid, username", "uid IN(".implode(',', $uid_in).")", array('order_by' => 'username')); 


And you're receiving this error because there is no valid rows in the 'adminsessions' table, this case should never occur...
The '/admin/index.php' will never include 'admin/modules/home/module_meta.php' unless you're a logged in admin and therefore at least one row exists in the 'adminsessions' table.

If you know what are you doing (as I assume) please revert the unneeded changes and test correctly, if you don't, just download a fresh mybb installation to your PC and upload a new clean '/admin/index.php'

Thank you for your help!

No dvb, he just applied your one fix. The issue is that $uid_in is now an empty array because of your change and MySQL doesn't allow blank IN() clauses.

[Ryan Gordon]

Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group

[Michael S.]

Revision #4330

This fix isn't working. In admin/index.php

PHP Code:

unset($mybb->user);
$db->delete_query("adminsessions", "uid='".$db->escape_string($mybb->user['uid'])."'"); 


should be

PHP Code:

$db->delete_query("adminsessions", "uid='".$db->escape_string($mybb->user['uid'])."'");
unset($mybb->user); 


[dvb]

Ryan, I'm assuming you haven't read my PM with the fix from March, 9 ?
(only Ryan G can access it, important parts below)

find...
replace with:

PHP Code:

if($mybb->usergroup['cancp'] != 1 || !$mybb->user['uid'])
{
    $db->delete_query("adminsessions", "uid='".intval($mybb->user['uid'])."'");
    my_setcookie("adminsid", "");
    unset($mybb->user);
    $login_message = $lang->error_invalid_admin_session;
} 


This fix seems to fix the problem but it's a bit of duplicate since we're adding a row to adminsessions and set a cookie, after that we clean them both...

BTW, line 255:

PHP Code:

            $login_message = $lang->invalid_admin_session; 


should be:

PHP Code:

            $login_message = $lang->error_invalid_admin_session;