Xibo

Error in SQL when selecting Management>Displays [DisplayGroupAuth]

Bug #717951 reported by Adam Stafford
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Xibo
Fix Released
Critical
Dan Garner
Xibo 1.3.0 "Faye"
1.2
Fix Released
Critical
Dan Garner
Xibo 1.2.2 "Biela"
1.3
Fix Released
Critical
Dan Garner
Xibo 1.3.0 "Faye"

Bug Description

There is a problem with the DisplayGroupAuth function when calling Management -> Displays.
Instead of calling display.licensed=0 to see all displays, it is only requesting licensed displays through filtering.

----------------------------------
SELECT DISTINCT displaygroup.DisplayGroupID, displaygroup.DisplayGroup, IsDisplaySpecific FROM displaygroup INNER JOIN lkdisplaydg ON displaygroup.DisplayGroupID = lkdisplaydg.DisplayGroupID INNER JOIN display ON display.DisplayID = lkdisplaydg.DisplayID WHERE display.licensed = 1

Related branches

lp://qastaging/~dangarner/xibo/server-717951
Alex Harrington: Approve
Diff: 5732 lines (+3995/-393) (has conflicts)
26 files modified
client/dotNET/FileCollector.cs (+9/-1)
client/dotNET/MainForm.cs (+43/-40)
client/dotNET/Properties/Resources.Designer.cs (+1/-1)
client/dotNET/Properties/Settings.Designer.cs (+1/-1)
client/dotNET/Properties/Settings.settings (+1/-1)
client/dotNET/Region.cs (+8/-0)
client/dotNET/RssReader.cs (+1/-1)
client/dotNET/Web References/xmds/Reference.cs (+19/-19)
client/dotNET/Web References/xmds/Reference.map (+1/-1)
client/dotNET/Web References/xmds/xmds.wsdl (+1/-1)
client/dotNET/XiboClient.csproj (+6/-5)
client/dotNET/app.config (+1/-1)
client/python/XiboClient.py (+196/-0)
client/python/client.conf (+25/-0)
client/python/configure.py (+1753/-0)
client/python/gui.glade (+1451/-0)
default.pot (+293/-283)
server/README.TXT (+4/-4)
server/lib/data/display.data.class.php (+39/-5)
server/lib/data/displaygroup.data.class.php (+9/-0)
server/lib/data/schedule.data.class.php (+5/-5)
server/lib/pages/display.class.php (+95/-15)
server/lib/pages/layout.class.php (+2/-2)
server/lib/pages/module.class.php (+16/-0)
server/lib/pages/schedule.class.php (+14/-6)
server/lib/service/xmdssoap.class.php (+1/-1)
Alex Harrington: Approve
Diff: 12 lines (+1/-1)
1 file modified
server/lib/pages/display.class.php (+1/-1)
Revision history for this message
Alex Harrington (alexharrington) wrote :

The selection of licensed displays is intentional because starting with Xibo 1.2.1, if you have given your users access to the Management -> Displays menu (and your users aren't Super Admins) then they should only see licensed displays they have been given permissions to modify. That means you can then setup Xibo to allow ordinary users access to modify the default layout on a subset of the dispalys.

What's not working here is the override that allows Super Admins to see unlicensed displays so that they can license them and assign permissions.

Revision history for this message
Alex Harrington (alexharrington) wrote :

@Dan: FYI, the install on unittest is from before the display permission changes were merged so doesn't display this behaviour. I've confirmed it on my production 1.2.1 install by revoking a license logged in as xibo_admin and the display disappears from the listing.

Revision history for this message
Alex Harrington (alexharrington) wrote :

I've had a quick look. My feeling is the fix proposed by the OP is wrong as it will allow non-admin users to edit all displays.

What I think needs to be done is at
http://bazaar.launchpad.net/~xibo-maintainers/xibo/biela/view/206/server/lib/pages/display.class.php#L370

needs an "and user is not an admin" clause on it, so that if the user is an admin then it falls straight through past the continue as normal?

Revision history for this message
Dan Garner (dangarner) wrote :

@Alex - I think I agree with the OP, I can't think of a good reason why a non-admin user shouldn't be able to edit a display that is not licensed?

Revision history for this message
Dan Garner (dangarner) wrote :

An alternative strategy would be for DisplayGroupAuth to filter on licenses = 0 if it is not an admin user?

module_user_general line 724 -> move to line 727?

Revision history for this message
Alex Harrington (alexharrington) wrote : Re: [Bug 717951] Re: Error in SQL when selecting Management>Displays [DisplayGroupAuth]

Because as an admin you might temporarily unlicense a display that is out of
use?

Revision history for this message
Alex Harrington (alexharrington) wrote :

Or to flip it around, why should they be able to.

Also doesn't the same function govern the displays you see in the schedule.
We certainly don't want unlicensed displays turning up there.

Alex

Revision history for this message
Dan Garner (dangarner) wrote :

Good point on the schedule - hadn't thought of that. I guess your suggestion would be the best thing to do then.

Revision history for this message
Alex Harrington (alexharrington) wrote :

Patched display.class.php file which needs to go in your server directory under lib/pages folder replacing the existing file there.

1.2.1.1 tar/zip files will replace the live versions in the next 30 minutes or so.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.