Module: Enhanced Custom Profiles
Posted by Joe Curia
Re: Module: Enhanced Custom Profiles May 23, 2009 10:46AM |
Registered: 13 years ago Posts: 9 |
Security protection issue June 11, 2009 11:51AM |
Registered: 13 years ago Posts: 3 |
We have the Phorum (v.5.2.11) installed with Enhanced Custom Profiles (v.5.2.1.04) module.
The Submit button in the module setup interface doesn't work:
This dialog has 'continue' button, but it's useless without form POST data.
It seems to me the module is incompatible with new Phorum security feature "phorum_admin_token" added to all admin URLs and forms. I've added a hidden input in the <form id='field_form'> and got the correct answer: "... successfully updated'. Here is the field needed (taken from <form id='status-form'> found on every admin page):
BTW, other modules has no ths issue, probably because of using more compatible forms:
The Submit button in the module setup interface doesn't work:
Quote
You are accessing the admin after a security timeout.
The requested URL was:
http://localhost/admin.php?module=modsettings&mod=enhanced_custom_profiles
Please make sure that you really want to access this URL and weren't tricked to go to the admin.
Please click on continue to go to this URL or on cancel to go to the forum homepage.
This dialog has 'continue' button, but it's useless without form POST data.
It seems to me the module is incompatible with new Phorum security feature "phorum_admin_token" added to all admin URLs and forms. I've added a hidden input in the <form id='field_form'> and got the correct answer: "... successfully updated'. Here is the field needed (taken from <form id='status-form'> found on every admin page):
Quote
<input type="hidden" name="phorum_admin_token" value="2d11da1d90182ec2114db66d601d932d" />
BTW, other modules has no ths issue, probably because of using more compatible forms:
Language: PHP$frm = new PhorumInputForm()
June 11, 2009 01:37PM |
Admin Registered: 17 years ago Posts: 8,532 |
The admin token is not a constant, so this will only work temporarily. What has to be added instead is:
@Joe: can you incorporate this in your package, please?
Maurice Makaay
Phorum Development Team
my blog
linkedin profile
secret sauce
Edited 1 time(s). Last edit at 06/11/2009 03:40PM by Thomas Seifert.
Language: PHP<input type="hidden" name="phorum_admin_token" value="<?php print $PHORUM[';admin_token';] ?>"/>
@Joe: can you incorporate this in your package, please?
Maurice Makaay
Phorum Development Team



Edited 1 time(s). Last edit at 06/11/2009 03:40PM by Thomas Seifert.
Re: Module: Enhanced Custom Profiles June 16, 2009 04:21AM |
Registered: 13 years ago Posts: 3 |
And what about these javascript links -- should it be supplied with the phorum_admin_token param like all other interface links?
Language: HTML<td class=';menuoff'; width=';160px'; id=';view_profile_settings'; onmouseover="menuon(this)" onmouseout="menuoff(this)" onclick="window.open(';./admin.php?module=modsettings&mod=enhanced_custom_profiles&show_page=view_profile';, ';_parent';)">View My Profile</td>
June 16, 2009 08:37AM |
Moderator Registered: 15 years ago Posts: 1,301 |
Sorry, I have been very busy with little time for coding. Many of my modules will need updates for the new phorum_admin_token. I am hoping to find time this coming weekend and beyond to update them. For some it is a simple link here or there, others use their own forms and pages and will be a bit more complex. I will make sure this module gets top priority.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Re: Security protection issue July 20, 2009 05:49PM |
Registered: 17 years ago Posts: 10 |
July 20, 2009 06:14PM |
Admin Registered: 17 years ago Posts: 8,532 |
Well... all pages really.
Why not reverse the solution here?
You tell us what exact path you follow to run into the issue and we will try to fix the issue for you.
Maurice Makaay
Phorum Development Team
my blog
linkedin profile
secret sauce
Why not reverse the solution here?
You tell us what exact path you follow to run into the issue and we will try to fix the issue for you.
Maurice Makaay
Phorum Development Team



Re: Security protection issue July 20, 2009 06:31PM |
Registered: 17 years ago Posts: 10 |
Thanks for your reply Maurice.
No matter what I select or try and input in the Settings (in Control Center > Modules) for Enhanced Custom Profiles, it always comes up with:
And pressing Continue just resets the settings to blank again. And so it goes on in a circle :)
Edited 1 time(s). Last edit at 07/20/2009 06:35PM by klibreck.
No matter what I select or try and input in the Settings (in Control Center > Modules) for Enhanced Custom Profiles, it always comes up with:
Phorum Admin version 5.2.11 Phorum Status: You are accessing the admin after a security timeout. The requested URL was: [localhost] Please make sure that you really want to access this URL and weren't tricked to go to the admin. Please click on continue to go to this URL or on cancel to go to the forum homepage.
And pressing Continue just resets the settings to blank again. And so it goes on in a circle :)
Edited 1 time(s). Last edit at 07/20/2009 06:35PM by klibreck.
July 20, 2009 06:51PM |
Admin Registered: 17 years ago Posts: 8,532 |
Did you try my suggestion from above? I didn't test it, but it might just work.
Maurice Makaay
Phorum Development Team
my blog
linkedin profile
secret sauce
Maurice Makaay
Phorum Development Team



July 23, 2009 07:42PM |
Registered: 19 years ago Posts: 687 |
I have a bit of a strange issue with this module...
I include lots of my own PHP files within Phorum, globalising certain variables if I will need them later on.
eg, in my own common.php, I setup things like:
global $path;
$path = "my/path";
I then include common.php and expect to be able to use $path later on within my own functions, provided I specify they are global first of course.
This works for all Phorum pages, except...
...I've just noticed that profile.php effectively puts all my globals out of scope.
I traced the behaviour to the first line of profile.php, namely:
define('phorum_page','profile');
If I changed the above to define('phorum_page','search'); or even define('phorum_page','profile1'); then my globals all come back.
I then worked out that some extra code must run when the phorum_page is set to "profile" and remembered I'd added the Enhanced Custom Profiles module. Sure enough, disabling the module fixes the problem.
Any ideas why this module puts my globals out of scope?
Thanks,
/\dam
--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz
I include lots of my own PHP files within Phorum, globalising certain variables if I will need them later on.
eg, in my own common.php, I setup things like:
global $path;
$path = "my/path";
I then include common.php and expect to be able to use $path later on within my own functions, provided I specify they are global first of course.
This works for all Phorum pages, except...
...I've just noticed that profile.php effectively puts all my globals out of scope.
I traced the behaviour to the first line of profile.php, namely:
define('phorum_page','profile');
If I changed the above to define('phorum_page','search'); or even define('phorum_page','profile1'); then my globals all come back.
I then worked out that some extra code must run when the phorum_page is set to "profile" and remembered I'd added the Enhanced Custom Profiles module. Sure enough, disabling the module fixes the problem.
Any ideas why this module puts my globals out of scope?
Thanks,
/\dam
--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

Sorry, only registered users may post in this forum.