Fixed Update user with API doesn't work if using API bypass permissions

Status
Not open for further replies.
Affected version
2.1.8 Patch 1

Kruzya

Well-known member
Steps to reproduce:
  1. Log into ACP.
  2. Create Super user key with access to user:write.
  3. Try use method users/{id}/ with api_bypass_permissions=1
Received result: I got server_error_occured (see details from log entry below).
Expected result: No one error has been thrown (or another, not server_error_occured) and method call finished.

Log entry:
  • ErrorException: [E_NOTICE] Trying to get property 'is_super_admin' of non-object
  • src\XF\Api\Controller\User.php:151
  • Stack trace
    1. src\XF\Api\Controller\User.php(151): XF::handlePhpError(8, '[E_NOTICE] Tryi...', '/var/www/fo...', 151, Array)
    2. src\XF\Mvc\Dispatcher.php(350): XF\Api\Controller\User->actionPost(Object(XF\Mvc\ParameterBag))
    3. src\XF\Api\Mvc\Dispatcher.php(27): XF\Mvc\Dispatcher->dispatchClass('XF:User', 'Post', Object(XF\Api\Mvc\RouteMatch), Object(XF\Api\Controller\User), NULL)
    4. src\XF\Mvc\Dispatcher.php(113): XF\Api\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Api\Mvc\RouteMatch), Object(XF\Api\Controller\User), NULL)
    5. src\XF\Mvc\Dispatcher.php(55): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Api\Mvc\RouteMatch))
    6. src\XF\App.php(2184): XF\Mvc\Dispatcher->run()
    7. src\XF.php(391): XF\App->run()
    8. index.php(16): XF::runApp('XF\\Api\\App')
    9. {main}
 
Last edited:

Mike

XenForo developer
Staff member
There is a bug with this code that causes that error, though as it stands, even with that bug fixed, you'd get an error.

Right now, if you are trying to edit a super admin, the user you're making the request as has to be a super admin themselves and this doesn't check bypass permissions. There's a comment that indicates this is intentional, though I'll have to think about that.

So the workaround would be to ensure that the user you're using the key as is a super admin themselves.
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.1.9).

Change log:
Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)
There may be a delay before changes are rolled out to the XenForo Community.
 

Neolo

New member
After update 2.2.2 to 2.2.4 is the same crap. Super user API key is completely ruined as well as all related nodes. Quite irritating. Because it worked on 2.2.2. And that's what you call a first "Super stable" release?
And yes, key is used by actual super admin.

Code:
ErrorException: [E_NOTICE] Trying to get property 'is_super_user' of non-object src/XF/Api/App.php:107

array(4) {
  ["url"] => string(22) "/api/auth/from-session"
  ["referrer"] => bool(false)
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(2) {
    ["api_bypass_permissions"] => string(1) "1"
    ["session_id"] => string(32) "PLdhNIcmLUvGqc0CY0h-aQpXlwPHuFhk"
  }
}

ErrorException: [E_NOTICE] Trying to get property 'key_type' of non-object src/XF/Api/Controller/AbstractController.php:213
array(4) {
  ["url"] => string(22) "/api/auth/from-session"
  ["referrer"] => bool(false)
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(1) {
    ["session_id"] => string(32) "PLdhNIcmLUvGqc0CY0h-aQpXlwPHuFhk"
  }
}




So I went to /src/XF.php and reverted block "@return \XF\Entity\ApiKey" from 2.2.2 version.
Lines "return self::$apiKey;"
And it started working again.

Why the heck you ruin it?
 
Last edited:

Mike

XenForo developer
Staff member
If you require support, please associate your forum account with your customer account and then you'll be able to post in a support (or development) forum.
 

Neolo

New member
If you require support, please associate your forum account with your customer account and then you'll be able to post in a support (or development) forum.
No I don't? I spend 8 hours to fix this BUG after your "very stable" update rolled out. This is quite shocking how can you ruin entire API with just one update, which demonstrates your irresponsibility or lack of tests performed.
 

Chris D

XenForo developer
Staff member
First, the code you mentioned hasn't changed between the two versions you mentioned in your original post or ever in the last two years. There have been no reports of any issues so it would suggest the issue may lie in your implementation.

Second, you are not showing as a licensed customer so, as stated, if you require further support and would like to create a thread with more details then you should demonstrate that you are entitled to receive support or submit a ticket from your customer area.

If you are not licensed, you are not permitted to post here any further until you are and no further posts of yours will be published.
 

Neolo

New member
First, the code you mentioned hasn't changed between the two versions you mentioned in your original post or ever in the last two years. There have been no reports of any issues so it would suggest the issue may lie in your implementation.
It didn't, really? Just yet another proof of careless.

2.2.4 XF.php check with your hash of the file
return self::$apiBypassPermissions && self::apiKey()->is_super_user;

VS

2.2.2
return self::$apiKey;
Swapped back to the old code and fixed. Of course, it's my implementation, what else. Duh.

Now everybody watch, they will rush with another update in few days, because got ashamed. But they will never admit it.

If you are not licensed, you are not permitted to post here any further until you are and no further posts of yours will be published.
Watch me. I don't care.
 

Chris D

XenForo developer
Staff member
Thanks for providing more information.

I can confirm categorically that whatever code you think belongs to XF 2.2.2 absolutely does not.

The only location that return self::$apiKey; appears in XF.php is within the apiKey function which hasn't been changed since we first implemented it in XF 2.1.0.

The code return self::$apiBypassPermissions && self::apiKey()->is_super_user; appears in XF.php in the isBypassingPermissions function and that function, also, has not been changed since we first implemented it in XF 2.1.0.

In other words, out of the code you have mentioned, every line of it is exactly as it has been since it was first written in XF 2.1.0.

What this clearly demonstrates is that wherever you obtained our code from - because it certainly isn't us - had modified the code in some way. This is why people should purchase a license instead of obtaining the code illegally from nulled websites.

If you would like to discuss the matter with us further, please purchase a license.
 

Lawrence

Well-known member
XF 2.1.12:
PHP:
    public static function isApiBypassingPermissions()
    {
        return self::$apiBypassPermissions && self::apiKey()->is_super_user;
    }

XF 2.2.4:
PHP:
    public static function isApiBypassingPermissions()
    {
        return self::$apiBypassPermissions && self::apiKey()->is_super_user;
    }

Enough said.
 

Neolo

New member
What are you talking about? Are you sure you are looking at the right block?
On the left is 2.2.2, right is 2.2.4.
I have got a copy from your server and since I'm here just to point at your mistake and not looking for any support tickets, because I have figured it out myself faster that you started your work day, I'm not going to reveal a license key just to get it banned by some pissed off dev. You take this report or you don't, it's up to you, but be more careful of what you roll out. Thanks.
 

Attachments

  • Screen Shot 2021-03-15 at 3.52.29 AM.png
    Screen Shot 2021-03-15 at 3.52.29 AM.png
    578.7 KB · Views: 27

Chris D

XenForo developer
Staff member
What are you talking about? Are you sure you are looking at the right block?
On the left is 2.2.2, right is 2.2.4.
I have got a copy from your server and since I'm here just to point at your mistake and not looking for any support tickets, because I have figured it out myself faster that you started your work day, I'm not going to reveal a license key just to get it banned by some pissed off dev. You take this report or you don't, it's up to you, but be more careful of what you roll out. Thanks.

XF 2.2.2:

1615816984180.png

XF 2.2.4:

1615816956438.png

You did not get the code you say is from 2.2.4 from us.

At this point, there's not much point in labouring the point.

Again, if you require further support on this, please purchase a license.
 
Status
Not open for further replies.
Top