Unexpected removing existing groups (removing permissions for viewing podcast in admin panel)
Viewing list of contributors in podcast causes deleting permissions
Viewing list of contributors in podcast causes deleting existing rows in auth_groups_users
table if user has more than 2 podcasts.
Adding new podcast from panel by user (bug found on user admin@example.com) causes adding row to table auth_groups_users
where user_id equal id of creator and group "podcast#1-admin".
If user added two podcasts, two rows will appear in table auth_groups_users
.
On page /podcast/2/contributors
you can see a list of contributors (here is another bug, i will describe it at the end):
but if user will refresh page, there will be only one user on a list.
After refresh, permissions are deleted and table auth_groups_users
looks like this:
It is caused by line 154 in file: modules/Auth/Helpers/auth_helper.php
https://github.com/ad-aures/castopod/blob/main/modules/Auth/Helpers/auth_helper.php#L154
Function get_podcast_group
gets groups but.... removes groups if more than one as well.
At the end, user has not permission to podcast with id 1.
Steps to reproduce
- Log as admin@example
- Create two podcasts in panel
- Go to page with a list of contributors for podcast with id 2
- Refresh page
- Go to podcast with id 1. -> You don't have permissions.
Expected behavior
Viewing list of podcast's contributors doesn't delete permission from table `auth_groups_users.
Actual behavior
Viewing list of contributors in podcast causes deleting existing rows in auth_groups_users
table if user has more than 2 podcasts.
Relevant logs and/or screenshots
In description.
Context
- Castopod: branch develop
- OS: windows 11
- Browser: chrome
- Web server: Apache
Possible fixes
Rewrite function to getting podcast's contributors. I am not sure if it doesn't occures in some another functions.
Another bug
List of contributors for a podcast shows all rows from table auth_groups_users for a user. It occures because of "like" clause in Modules\Auth\Models\UserModel@getPodcastContributors.
SELECT `dev_users`.*
FROM `dev_users`
JOIN `dev_auth_groups_users` ON `dev_users`.`id` = `dev_auth_groups_users`.`user_id`
WHERE `dev_auth_groups_users`.`group` LIKE '%podcast#1%' ESCAPE '!'
if podcast id equal 1 it returns also:
podcast#11-admin
podcast#12-admin