Question about _assertViewingPermissions

[netrix]

When I overwrite this function like this

        public function  _assertViewingPermissions($action)
        {
 
        }

it results into the situation that every permission check seems to be removed, even if somebody couldn't view the entire page, everything build on top of this class will be visible to the visitor, so my question is if there are any negative side effects?

 

[tyteen4a03]

Well the permission check for all controllers that rely on this method will be completely ignored. Depends on your forum's needs this could range from No Big Deal to Massive Information Leak.

 

[netrix]

This page must be always available and the original developer of this addon added the following code to make the page available in service mode.

        /**
        * overwrite the original method to show the page if the board is deactivated
        */
        public function _assertBoardActive($action)
        {
 
        }

So I tried my change to keep it available, even if I do something wrong in the user right configs.
So the question, if this will only remove the rights for everything which is based on this class? (Which shouldn't do harm)

 

[tyteen4a03]

This page must be always available and the original developer of this addon added the following code to make the page available in service mode.

        /**
        * overwrite the original method to show the page if the board is deactivated
        */
        public function _assertBoardActive($action)
        {
 
        }

So I tried my change to keep it available, even if I do something wrong in the user right configs.
So the question, if this will only remove the rights for everything which is based on this class? (Which shouldn't do harm)

Yes.

Also, _assertBoardActive is a protected function.

 

[Chris D]

How exactly are you extending it?

Are you returning the parent response at any point (so it is extending and not overwriting it)?

Also, you might want to ensure you're using the correct declaration.

It should be protected function _assertViewingPermissions

Basically the gist of what you want to do is this:

	protected function _assertViewingPermissions($action)
	{
		$parent = parent::_assertViewingPermissions($action);
		
		// Your Extended Code Here
		
		return $parent;
	}

There's no way that should be overwriting existing permissions... If it is, we might need to see your existing code to see where it is going wrong.

 

[netrix]

This is the addon on GitHub: https://github.com/ragtek/InfoPage

And this is the file: https://github.com/ragtek/InfoPage/blob/master/ControllerPublic/Info.php

This is the Code, where I applied my changes to.

<?php
 
    class Ragtek_InfoPage_ControllerPublic_Info extends XenForo_ControllerPublic_Abstract
    {
 
        public function actionIndex()
        {
            $page = $this->_input->filterSingle('page', XenForo_Input::STRING);
            return $this->generateOutput($page);
        }
 
        protected function generateOutput($page)
        {
            switch ($page) {
                case 'impressum':
                    $content = new XenForo_Phrase('ragtek_infopage_impressum_content');
                    break;
                case 'terms':
                    $content = new XenForo_Phrase('terms_rules_text');
                    break;
                case 'privacy':
                    $content = new XenForo_Phrase('ragtek_infopage_privacy_content');
                    break;
                case 'cookies':
                    $content = new XenForo_Phrase('help_cookies_description');
                break;
                default:
                    $content = new XenForo_Phrase('ragtek_infopage_global_content');
            }
 
            $viewParams = array(
                'selected' => $page,
                'content' => $content
            );
            return $this->responseView('Ragtek_Impressum_ViewPublic_Impressum_Wrapper', 'ragtek_infopage_wrapper', $viewParams);
        }
 
        /**
        * return the action for the online list
        * @param array $activities
        * @return phrase
        */
        public static function getSessionActivityDetailsForList(array $activities)
        {
            foreach ($activities AS $activity) {
                $do = $activity['params']['page'];
                switch ($do) {
                    case 'privacy':
                        $phrase = new XenForo_Phrase('viewing_ragtek_privacy');
                        break;
                    case 'terms':
                        $phrase = new XenForo_Phrase('viewing_ragtek_terms');
                        break;
                    case 'impressum':
                        break;
                    case 'cookies':
                        $phrase = new XenForo_Phrase('viewing_ragtek_cookiepage');
                    default:
                        $phrase = new XenForo_Phrase('viewing_ragtek_infopage');
                }
                return $phrase;
            }
        }
 
        /**
        * overwrite the original method to show the page if the board is deactivated
        */
        public function _assertBoardActive($action)
        {
 
        }
 
        /**
        * (non-PHPdoc)
        * @see XenForo_ControllerPublic_Abstract::_assertViewingPermissions()
        * overwrite the original method to show the page even if the visitor has no right to view the page
        */
 
        public function  _assertViewingPermissions($action)
        {
 
        }
    }

I just copied the part "public function _assert" and my IDE showed me the function "_assertViewingPermissions($action)". So I did the same thing that ragtek did with the other function "public function _assertBoardActive($action)".