Skip to content

Unexpected removing existing groups (removing permissions for viewing podcast in admin panel)

Viewing list of contributors in podcast causes deleting permissions

Viewing list of contributors in podcast causes deleting existing rows in auth_groups_users table if user has more than 2 podcasts. Adding new podcast from panel by user (bug found on user admin@example.com) causes adding row to table auth_groups_users where user_id equal id of creator and group "podcast#1-admin".

If user added two podcasts, two rows will appear in table auth_groups_users.

image

On page /podcast/2/contributors you can see a list of contributors (here is another bug, i will describe it at the end):

image

but if user will refresh page, there will be only one user on a list.

After refresh, permissions are deleted and table auth_groups_users looks like this:

image

It is caused by line 154 in file: modules/Auth/Helpers/auth_helper.php https://github.com/ad-aures/castopod/blob/main/modules/Auth/Helpers/auth_helper.php#L154

Function get_podcast_group gets groups but.... removes groups if more than one as well.

At the end, user has not permission to podcast with id 1.

Steps to reproduce

  1. Log as admin@example
  2. Create two podcasts in panel
  3. Go to page with a list of contributors for podcast with id 2
  4. Refresh page
  5. Go to podcast with id 1. -> You don't have permissions.

Expected behavior

Viewing list of podcast's contributors doesn't delete permission from table `auth_groups_users.

Actual behavior

Viewing list of contributors in podcast causes deleting existing rows in auth_groups_users table if user has more than 2 podcasts.

Relevant logs and/or screenshots

In description.

Context

  • Castopod: branch develop
  • OS: windows 11
  • Browser: chrome
  • Web server: Apache

Possible fixes

Rewrite function to getting podcast's contributors. I am not sure if it doesn't occures in some another functions.

Another bug

List of contributors for a podcast shows all rows from table auth_groups_users for a user. It occures because of "like" clause in Modules\Auth\Models\UserModel@getPodcastContributors.

SELECT `dev_users`.*
FROM `dev_users`
JOIN `dev_auth_groups_users` ON `dev_users`.`id` = `dev_auth_groups_users`.`user_id`
WHERE `dev_auth_groups_users`.`group` LIKE '%podcast#1%' ESCAPE '!'

if podcast id equal 1 it returns also:

podcast#11-admin

podcast#12-admin

Edited by Krzysztof Domańczy