Closed Bug 632820 Opened 14 years ago Closed 14 years ago

No longer able to edit Personas on getpersonas.com

Categories

(Websites Graveyard :: getpersonas.com, defect)

Product:
Websites Graveyard
Component:
getpersonas.com
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: deb, Assigned: MattN)

References

Details

Attachments

(1 file, 1 obsolete file)

v.2 don't check nonce on initial loading of edit screen (using GET)
908 bytes, patch
chenba
: review+
Details | Diff | Splinter Review
Since the system update yesterday, attempting to edit a Persona only brings up a blank page rather than the editing UI. This is a significant issue because we strongly encourage Personas authors to edit existing Personas rather than submitting a duplicate with minor changes in order to keep the review queue down. If you need login credentials and a persona to test, just ping me in IRC, email, or IM.
Here is the error log snippet from my dev box: [error] [client 127.0.0.1] PHP Notice: Undefined variable: tos_tmpl in /blah/getpersonas.com/trunk/server/upload_forms.php on line 99, referer: https://getpersonas.com.localhost/en-US/gallery/ [error] [client 127.0.0.1] PHP Warning: include() [<a href='function.include'>function.include</a>]: Filename cannot be empty in /blah/getpersonas.com/trunk/server/upload_forms.php on line 99, referer: https://getpersonas.com/en-US/gallery/ [error] [client 127.0.0.1] PHP Warning: include() [<a href='function.include'>function.include</a>]: Failed opening '' for inclusion (include_path='.::/blah/getpersonas.com/trunk/server') in /blah/getpersonas.com/trunk/server/upload_forms.php on line 99, referer: https://getpersonas.com/en-US/gallery/
I'm just testing out a fix now. I'll post a patch shortly.
Assignee: nobody → mmn100+bmo
Status: NEW → ASSIGNED
Thanks Matthew
I changed the code to not check the nonce on initial loading of the edit screen. Is there any security issue with this? The nonce is still checked on submission of the form.
Attachment #511065 - Flags: review?(clouserw)
Comment on attachment 511065 [details] [diff] [review] v.1 don't check nonce on initial loading of edit screen If you look at line 32 you can see that id can come from GET or POST. It would be better to check $id here, which already looks in either. I'll r- for that, but chenba@gmail.com or :telliott can review patches faster than I can
Attachment #511065 - Flags: review?(clouserw) → review-
Comment on attachment 511065 [details] [diff] [review] v.1 don't check nonce on initial loading of edit screen (In reply to comment #6) > Comment on attachment 511065 [details] [diff] [review] > v.1 don't check nonce on initial loading of edit screen > > If you look at line 32 you can see that id can come from GET or POST. It would > be better to check $id here, which already looks in either. I'll r- for that, > but chenba@gmail.com or :telliott can review patches faster than I can I intentionally didn't use $id since I DO want to check the nonce when id is submitted over POST or is null but not when id is set via GET. When we get a failed nonce we just include the form again and so this check needs to be far enough in the code so that it has the values to fill in the form (ie. $upload_submitted and $categories).
Attachment #511065 - Flags: review?(chenba)
Comment on attachment 511065 [details] [diff] [review] v.1 don't check nonce on initial loading of edit screen Since the error is the missing template path, could establish a path to include depending if it's an add or edit. And move the get categories line up, of course. I could bypass the nonce check by adding the id to the form action url since that && in the if will short circuit.
Attachment #511065 - Flags: review?(chenba) → review-
(In reply to comment #8) > Comment on attachment 511065 [details] [diff] [review] > v.1 don't check nonce on initial loading of edit screen > > Since the error is the missing template path, could establish a path to include > depending if it's an add or edit. And move the get categories line up, of > course. The output in the PHP error log are warnings and are not really the main problem. It's really that "exit" is being hit since $user->validate_nonce() is false when clicking the edit link. I'm not sure that there would be much benefit in having two templates at this point as I don't really know how they would differ. > I could bypass the nonce check by adding the id to the form action url since > that && in the if will short circuit. True. I switched to validating the nonce whenever POST is used.
Attachment #511065 - Attachment is obsolete: true
Attachment #511294 - Flags: review?(chenba)
(In reply to comment #9) > (In reply to comment #8) > > Since the error is the missing template path, could establish a path to include > > depending if it's an add or edit. And move the get categories line up, of > > course. > > I'm not sure that there would be much benefit in having two templates at this > point as I don't really know how they would differ. The edit process doesn't include the Term of Service step. So I meant that the template path variable should point to the correct template, which is what your patch's first line is doing. Checking the nonce only on POST works for me.
Attachment #511294 - Flags: review?(chenba) → review+
r82393 To verify: * Make sure that the edit page for a persona now loads and that edits submitted show up in the edit review queue. * Verify that the nonce is checked in the following cases by modifying the nonce hidden input and making sure that the website doesn't proceed to the next step after submission. ** From the TOS page when submitting a new persona ** From the upload page when submitting a new persona ** From the upload page when editing a persona.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
QA: If you can verify this on stage, I can try to get it out today.
Verified, FIXED. 1. 'edit' link opens up the correct page 2. edited personas show up in the edit review queue 3. Modifying the nonce value on the following pages does not let you continue to the next step: a. upload a new persona b. edit a persona Isn't the Terms of Service page same as the upload page which is https://personas.stage.mozilla.com/en-US/upload ?
Status: RESOLVED → VERIFIED
(In reply to comment #13) > Isn't the Terms of Service page same as the upload page which is > https://personas.stage.mozilla.com/en-US/upload ? Yes, I just wanted to make sure both steps (accepting TOS & persona details) of the upload process would be verified (making sure the nonce was checked).
this fix is live
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: