Forum OpenACS Development: Found bug in Forums. Let you post a message with closed policy.

Collapse
1: Found bug in Forums. Let you post a message with closed policy.
Posted by Juan Ignacio Fernández on 09/03/08 01:43 PM
Hi, first of all let me introduce myself. I'm Juan Ignacio Fernández a newbie developer in OpenACS (i've been working with it for about 2 months), so apologies if there is something wrong.

Well, I've found that, when you try something like posting a new message in a closed forum it lets you do it. In my humble opinion, I think that it is because it only looks at the permissions (inherited) and not at the posting policy of the forum at the time of posting a new message. I "solved" it by making this changes at these files:
-forums/tcl/forums-procs.tcl. I wrote a new function:
          ...
          ad_proc -public forum::posting_policy_get {
            {-forum_id 0}
            {-message_id 0}
          } {
            return [db_string posting_policy {} -default ""]
          }
          ...
-forums/tcl/forums-procs.xql. The name of the query: posting_policy
          ...
              select posting_policy
              from forums_forums
              where forum_id = :forum_id or forum_id in (
                select forum_id
                from forums_messages
                where message_id = :message_id
                  or parent_id = :forum_id
                  or parent_id = :message_id)
-forums/tcl/forums-security-procs.tcl. I modified two functions:
          ...
          ad_proc -public can_post_forum_p {
            {-user_id ""}
            {-forum_id:required}
          } {
              return [expr [permission::permission_p -party_id $user_id -object_id $forum_id -privilege create] \
                && [expr ![string equal closed [forum::posting_policy_get -forum_id $forum_id]] \
                    || [forum::security::can_admin_forum_p -user_id $user_id -forum_id $forum_id]]]
          }
          ...
          ad_proc -public can_post_message_p {
            {-user_id ""}
            {-message_id:required}
          } {
              return [expr [permission::permission_p -party_id $user_id -object_id $message_id -privilege write] \
                && [expr ![string equal closed [forum::posting_policy_get -message_id $message_id]] \
                    || [forum::security::can_admin_forum_p -user_id $user_id -forum_id $message_id]]]
          }
          ...
With this solution I solved the problem but I found another one, when you write in the URL bar directly the URL to post a new thread in a forum with posting policy open and you don't let the users to publish new threads, the system lets you to publish that thread.

Another question, Should I post it in the bugtracker?

Version openACS 5.4, dotLRN 2.4
Thank you very much.

Collapse
2: Re: Found bug in Forums. Let you post a message with closed policy. (response to 1)
Posted by Emmanuelle Raffenne on 09/03/08 10:09 PM
Hi Juan Ignacio,

Welcome to OpenACS!

Apparently the "authorization" is implemented by hiding links... As for the fix, apart from checking the policy to show/hide actions, guards should be added to the Tcl scripts that add a new thread or a new message.

Could you post your patch at the bugtracker?

Thanks for catching that.

Collapse
3: Re: Found bug in Forums. Let you post a message with closed policy. (response to 1)
Posted by Torben Brosten on 09/05/08 12:32 AM
Maybe there is a misunderstanding of terminology?

See related, recent post: https://openacs.org/forums/message-view?message%5fid=1866579

Collapse
4: Re: Res: Found bug in Forums. Let you post a message with closed policy. (response to 1)
Posted by Juan Ignacio Fernández on 09/06/08 01:38 AM
Well, I posted the patch at the bug tracker (bug #3153).

Thank you for every answers.