Fixed Update user with API doesn't work if using API bypass permissions

[Kruzya]

Affected version

2.1.8 Patch 1

Steps to reproduce:

1. Log into ACP.
2. Create Super user key with access to user:write.
3. Try use method users/{id}/ with api_bypass_permissions=1

Received result: I got server_error_occured (see details from log entry below).
Expected result: No one error has been thrown (or another, not server_error_occured) and method call finished.

Log entry:

• ErrorException: [E_NOTICE] Trying to get property 'is_super_admin' of non-object
• src\XF\Api\Controller\User.php:151
• Stack trace
  1. src\XF\Api\Controller\User.php(151): XF::handlePhpError(8, '[E_NOTICE] Tryi...', '/var/www/fo...', 151, Array)
  2. src\XF\Mvc\Dispatcher.php(350): XF\Api\Controller\User->actionPost(Object(XF\Mvc\ParameterBag))
  3. src\XF\Api\Mvc\Dispatcher.php(27): XF\Mvc\Dispatcher->dispatchClass('XF:User', 'Post', Object(XF\Api\Mvc\RouteMatch), Object(XF\Api\Controller\User), NULL)
  4. src\XF\Mvc\Dispatcher.php(113): XF\Api\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Api\Mvc\RouteMatch), Object(XF\Api\Controller\User), NULL)
  5. src\XF\Mvc\Dispatcher.php(55): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Api\Mvc\RouteMatch))
  6. src\XF\App.php(2184): XF\Mvc\Dispatcher->run()
  7. src\XF.php(391): XF\App->run()
  8. index.php(16): XF::runApp('XF\\Api\\App')
  9. {main}

 

[Mike]

There is a bug with this code that causes that error, though as it stands, even with that bug fixed, you'd get an error.

Right now, if you are trying to edit a super admin, the user you're making the request as has to be a super admin themselves and this doesn't check bypass permissions. There's a comment that indicates this is intentional, though I'll have to think about that.

So the workaround would be to ensure that the user you're using the key as is a super admin themselves.

 

[Kruzya]

There's a comment that indicates this is intentional, though I'll have to think about that.

Yeah, i noticed two minutes ago, and edited bug report. Now i expect another error.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.1.9).

Change log:

Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)

There may be a delay before changes are rolled out to the XenForo Community.

 

[Neolo]

After update 2.2.2 to 2.2.4 is the same crap. Super user API key is completely ruined as well as all related nodes. Quite irritating. Because it worked on 2.2.2. And that's what you call a first "Super stable" release?
And yes, key is used by actual super admin.

ErrorException: [E_NOTICE] Trying to get property 'is_super_user' of non-object src/XF/Api/App.php:107

array(4) {
  ["url"] => string(22) "/api/auth/from-session"
  ["referrer"] => bool(false)
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(2) {
    ["api_bypass_permissions"] => string(1) "1"
    ["session_id"] => string(32) "PLdhNIcmLUvGqc0CY0h-aQpXlwPHuFhk"
  }
}

ErrorException: [E_NOTICE] Trying to get property 'key_type' of non-object src/XF/Api/Controller/AbstractController.php:213
array(4) {
  ["url"] => string(22) "/api/auth/from-session"
  ["referrer"] => bool(false)
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(1) {
    ["session_id"] => string(32) "PLdhNIcmLUvGqc0CY0h-aQpXlwPHuFhk"
  }
}

So I went to /src/XF.php and reverted block "@return \XF\Entity\ApiKey" from 2.2.2 version.
Lines "return self::$apiKey;"
And it started working again.

Why the heck you ruin it?

 

[Mike]

If you require support, please associate your forum account with your customer account and then you'll be able to post in a support (or development) forum.

 

[Neolo]

If you require support, please associate your forum account with your customer account and then you'll be able to post in a support (or development) forum.

No I don't? I spend 8 hours to fix this BUG after your "very stable" update rolled out. This is quite shocking how can you ruin entire API with just one update, which demonstrates your irresponsibility or lack of tests performed.

 

[Chris D]

First, the code you mentioned hasn't changed between the two versions you mentioned in your original post or ever in the last two years. There have been no reports of any issues so it would suggest the issue may lie in your implementation.

Second, you are not showing as a licensed customer so, as stated, if you require further support and would like to create a thread with more details then you should demonstrate that you are entitled to receive support or submit a ticket from your customer area.

If you are not licensed, you are not permitted to post here any further until you are and no further posts of yours will be published.

 

[Neolo]

First, the code you mentioned hasn't changed between the two versions you mentioned in your original post or ever in the last two years. There have been no reports of any issues so it would suggest the issue may lie in your implementation.

It didn't, really? Just yet another proof of careless.

2.2.4 XF.php check with your hash of the file

return self::$apiBypassPermissions && self::apiKey()->is_super_user;

VS

2.2.2

return self::$apiKey;

Swapped back to the old code and fixed. Of course, it's my implementation, what else. Duh.

Now everybody watch, they will rush with another update in few days, because got ashamed. But they will never admit it.

If you are not licensed, you are not permitted to post here any further until you are and no further posts of yours will be published.

Watch me. I don't care.

 

[Chris D]

Thanks for providing more information.

I can confirm categorically that whatever code you think belongs to XF 2.2.2 absolutely does not.

The only location that return self::$apiKey; appears in XF.php is within the apiKey function which hasn't been changed since we first implemented it in XF 2.1.0.

The code return self::$apiBypassPermissions && self::apiKey()->is_super_user; appears in XF.php in the isBypassingPermissions function and that function, also, has not been changed since we first implemented it in XF 2.1.0.

In other words, out of the code you have mentioned, every line of it is exactly as it has been since it was first written in XF 2.1.0.

What this clearly demonstrates is that wherever you obtained our code from - because it certainly isn't us - had modified the code in some way. This is why people should purchase a license instead of obtaining the code illegally from nulled websites.

If you would like to discuss the matter with us further, please purchase a license.

 

[Lawrence]

XF 2.1.12:

    public static function isApiBypassingPermissions()
    {
        return self::$apiBypassPermissions && self::apiKey()->is_super_user;
    }

XF 2.2.4:

    public static function isApiBypassingPermissions()
    {
        return self::$apiBypassPermissions && self::apiKey()->is_super_user;
    }

Enough said.

 

[Kier]

 

[Neolo]

What are you talking about? Are you sure you are looking at the right block?
On the left is 2.2.2, right is 2.2.4.
I have got a copy from your server and since I'm here just to point at your mistake and not looking for any support tickets, because I have figured it out myself faster that you started your work day, I'm not going to reveal a license key just to get it banned by some pissed off dev. You take this report or you don't, it's up to you, but be more careful of what you roll out. Thanks.

 

[Chris D]

What are you talking about? Are you sure you are looking at the right block?
On the left is 2.2.2, right is 2.2.4.
I have got a copy from your server and since I'm here just to point at your mistake and not looking for any support tickets, because I have figured it out myself faster that you started your work day, I'm not going to reveal a license key just to get it banned by some pissed off dev. You take this report or you don't, it's up to you, but be more careful of what you roll out. Thanks.

XF 2.2.2:



XF 2.2.4:



You did not get the code you say is from 2.2.4 from us.

At this point, there's not much point in labouring the point.

Again, if you require further support on this, please purchase a license.

 

[Kier]

We will be happy to discuss your issue through licensed customer support:

Customer area login

xenforo.com

 

[Kier]

And for anyone else in any doubt, this is the 'blame log' for the code in question, which was last edited three years ago.