No permissions to upload images… for ANY user!

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter PaulMighty

    (@paulmighty)

    As a follow up, this line in package.module.nextgen_addgallery_page.php:
    if ($this->validate_ajax_request(‘nextgen_upload_image’, TRUE)) {

    …called the validate_ajax_request method in package.module.ajax.php, which is written as follows:

    public function validate_ajax_request($action = NULL, $check_token = false)
    {
        // TODO: remove this. Pro 2.1's proofing calls validate_ajax_request() with a null $action
        if (!$action) {
            return TRUE;
        }
        $valid_request = false;
        $security = $this->get_registry()->get_utility('I_Security_Manager');
        $sec_actor = $security->get_current_actor();
        $sec_token = $security->get_request_token($action);
        if ($sec_actor->is_allowed($action) && (!$check_token || $sec_token->check_current_request())) {
            $valid_request = true;
        }
        return $valid_request;
    }

    If we update:
    if ($this->validate_ajax_request(‘nextgen_upload_image’, TRUE)) {

    …to:
    if ($this->validate_ajax_request( NULL, TRUE)) {

    …the file successfully uploads and the permission error is not displayed. Can you shed some light on what’s going on? I haven’t had time to dig through the dependent functions in validate_ajax_request. Are we experiencing token errors or something?

    Thanks,
    -Paul

    Benjamin

    (@benjaminowens)

    Could you tell us what a var_dump($sec_token) right above the second if returns? It could be that token generation may not be right on your system.

    Thread Starter PaulMighty

    (@paulmighty)

    Where do you suggest we add var_dump($sec_token)? The upload action occurs in an AJAX call, so nothing will display on the page if I add it to validate_ajax_request.

    -Paul

    Thread Starter PaulMighty

    (@paulmighty)

    So I rigged it up to have validate_ajax_request return $sec_token and I then capture what it returns with output buffering on a var_dump like this:

    ob_start();
var_dump($this->validate_ajax_request( NULL , TRUE));
$retval['error'] = ob_get_clean();

    $sec_token returns this raw output on failed image upload:

    object(C_Wordpress_Security_Token)#1681 (12) {
  ["context"]=>
  bool(false)
  ["adapted"]=>
  bool(true)
  ["_mixins"]=>
  array(4) {
    ["Mixin_Security_Token"]=>
    object(Mixin_Security_Token)#1680 (2) {
      ["object"]=>
      *RECURSION*
      ["method_called"]=>
      NULL
    }
    ["Mixin_Security_Token_Property"]=>
    object(Mixin_Security_Token_Property)#1710 (4) {
      ["_action_name"]=>
      NULL
      ["_args"]=>
      NULL
      ["object"]=>
      *RECURSION*
      ["method_called"]=>
      NULL
    }
    ["Mixin_Wordpress_Security_Token"]=>
    object(Mixin_Wordpress_Security_Token)#1676 (2) {
      ["object"]=>
      *RECURSION*
      ["method_called"]=>
      NULL
    }
    ["Mixin_Wordpress_Security_Token_MVC"]=>
    object(Mixin_Wordpress_Security_Token_MVC)#1678 (2) {
      ["object"]=>
      *RECURSION*
      ["method_called"]=>
      NULL
    }
  }
  ["_mixin_priorities"]=>
  array(4) {
    [0]=>
    string(34) "Mixin_Wordpress_Security_Token_MVC"
    [1]=>
    string(30) "Mixin_Wordpress_Security_Token"
    [2]=>
    string(29) "Mixin_Security_Token_Property"
    [3]=>
    string(20) "Mixin_Security_Token"
  }
  ["_method_map_cache"]=>
  array(2) {
    ["init_token"]=>
    string(29) "Mixin_Security_Token_Property"
    ["check_current_request"]=>
    string(20) "Mixin_Security_Token"
  }
  ["_disabled_map"]=>
  array(1) {
    ["check_request"]=>
    array(0) {
    }
  }
  ["_interfaces"]=>
  array(2) {
    [0]=>
    string(11) "I_Component"
    [1]=>
    string(16) "I_Security_Token"
  }
  ["_throw_error"]=>
  bool(true)
  ["_wrapped_instance"]=>
  bool(false)
  ["object"]=>
  *RECURSION*
  ["_action_name"]=>
  NULL
  ["_args"]=>
  NULL
}

    Thoughts?

    -Paul

    Benjamin

    (@benjaminowens)

    $this->validate_ajax_request(NULL, TRUE) should return TRUE when the first parameter is NULL or empty. Is the above the result of validate_ajax_request(‘nextgen_upload_image’), and if not could you post that?

    Plugin Contributor photocrati

    (@photocrati)

    @paulmighty – Please send us a Bug Report (https://nextgen-gallery.com/report-bug/ … please reference this topic) so we can get a better look under the page at your site.

    We may need temporary log in (and FTP) credentials for your WordPress installation, please consider those for your Bug Report, too.

    Thanks!

    – Cais.

    Thread Starter PaulMighty

    (@paulmighty)

    Benjamin, your question was answered in my second post to this thread. Hacking the plugin code to pass NULL does fix the issue, but I figured Photocrati might want to explore why there was an issue in the first place.

    Photocrati, the contract I am working under does not allow me to provide access to third parties, sorry. If you have specific questions, I’m happy to provide details.

    Thanks,
    -Paul

    Plugin Contributor photocrati

    (@photocrati)

    @paulmighty – Can you create a mirrored site for us (as in @benjamin, one of our developers) to further review this?

    – Cais.

    Benjamin

    (@benjaminowens)

    Could you determine which of the conditions in the validate_ajax_request() if clause is failing?

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘No permissions to upload images… for ANY user!’ is closed to new replies.

Tags