Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11115

ACP > Forums > Create > doubleclick on "Submit" doubles forum moderators when copying permissions

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.11
    • Fix Version/s: 3.0.15-RC1, 3.1.12-RC1
    • Component/s: ACP
    • Labels:
      None
    • Environment:
      PHP 5.3.8, Opera 12.02

      Description

      ACP > Forums > Manage forums > Manage forums > Create new forum ("testforum") > Forum settings > Copy permissions from > ("otherforum"). Don't click once on the Submit button, do a doubleclick. Results in:

      • creating the forum twice,
      • adding or editing groups' user permissions twice and
      • copying forum permissions twice.

      Yet I haven't really grasped the whole thing. In /includes/acp/acp_forums.php we have this call:

      copy_forum_permissions($forum_perm_from, $forum_data['forum_id'], ($action == 'edit') ? true : false);

      The third parameter of that will evaluate to FALSE when creating a forum - the only position in the whole phpBB files where this third parameter might be FALSE. Looking up the function's definition in /includes/functions_admin.php this parameter turns out as $clear_dest_perms = true. It is then used this way:

      	// Clear current permissions of destination forums
      	if ($clear_dest_perms)
      	{
      		$sql = 'DELETE FROM ' . ACL_USERS_TABLE . '
      			WHERE ' . $db->sql_in_set('forum_id', $dest_forum_ids);
      		$db->sql_query($sql);
       
      		$sql = 'DELETE FROM ' . ACL_GROUPS_TABLE . '
      			WHERE ' . $db->sql_in_set('forum_id', $dest_forum_ids);
      		$db->sql_query($sql);
      	}

      So when creating "two forums in a row" (the doubleclick) both seem to be copied twice without deleting existing datasets. Seeing this brought me the idea:

      Simply re-editing the forum and re-copying the permissions from another forum solved the issue.

      What I don't really get: why is the doubleclick "possible" at all? I mean: why doesn't interfere any form token from processing a (HTTP) request more than once? I'm a bit scared by what could go wrong to the whole board because I literally have the chance to doubleclick on a Submit button in so many different places.

        Attachments

          Activity

            People

            • Assignee:
              CHItA CHItA
              Reporter:
              AmigoJack AmigoJack
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: