[wp-trac] [WordPress Trac] #3807: Admin Functions Denying Access with "You don't have permission to do that"

[WordPress Trac]

#3807: Admin Functions Denying Access with "You don't have permission to do that"
----------------------------+-----------------------------------------------
 Reporter:  seanwedig       |       Owner:  anonymous  
     Type:  defect          |      Status:  new        
 Priority:  normal          |   Milestone:             
Component:  Administration  |     Version:  2.1        
 Severity:  major           |    Keywords:  permissions
----------------------------+-----------------------------------------------
 This sounds like it may be related to defect #3798, but my investigations
 have pointed me at other potential problems (and potential fix), so I'm
 submitting it separately.

 I just recently did a completely new installation of Wordpress 2.1.  I
 installed it on a local machine just fine, and ran it with a local
 database with no worries (I was doing theme development on a local box).
 On this local machine, I could log in as Admin and perform all
 administrative tasks I wanted with no problems, including clearing out the
 default blogroll items, creating new users, and whatnot.

 I then went ahead and uploaded the exact same 2.1 package and installed it
 on a server in order to deploy the theme, but found that many of the admin
 functions were not working.  Not all of them, but most.  Those that denied
 access all failed with the error message "You don't have permission to do
 that." which I tracked down to the AJAX JS code.

 I did some digging to see where in the code things were dying and causing
 the AJAX permission check to fail on the server (returning '-1'), and I
 came across code in wp-includes/pluggable.php's check_ajax_referer
 function.  Specifically, the call to  wp_login was returning false and
 dying with '-1', which was then denying access to execute whatever Admin
 function I was trying.

 After debugging a little, it struck me as odd that, in order to extract
 the $user and $pass variables, the submitted cookie values were being
 manually parsed out from $_POST['cookie'].  This was in
 check_ajax_referer.

 When I replaced manual parsing with pulling USER_COOKIE and PASS_COOKIE
 from the $_COOKIE variable, it appears to have fixed my problem.  (I
 apologize for not submitting a diff for WP's purposes - I'm not exactly
 sure how it should be generated, but I am glad to learn!)

 I think it came down to the parsing based on string position of an equal
 sign.  The hashed cookie keys may have sometimes included that equal sign,
 and so messed up the manual parsing;  I'm not 100% sure on that - it is
 just speculation.  I'm willing to accept that I've got it all wrong, as I
 do not know the WP code.  :)


 To be precise, I replaced lines 244 through 250 of wp-
 includes/pluggable.php

 {{{
   $cookie = explode('; ', urldecode(empty($_POST['cookie']) ?
 $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass
 cookie=document.cookie
   foreach ( $cookie as $tasty ) {
           if ( false !== strpos($tasty, USER_COOKIE) )
                         $user = substr(strstr($tasty, '='), 1);
                 if ( false !== strpos($tasty, PASS_COOKIE) )
                         $pass = substr(strstr($tasty, '='), 1);
         }

 }}}

  with

 {{{
   $user = $_COOKIE[USER_COOKIE];
   $pass = $_COOKIE[PASS_COOKIE];
 }}}

 and it appears to have fixed the problem.

 -Sean

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3807>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software