Unexpected removing existing groups (removing permissions for viewing podcast in admin panel) (#310) · Issues · Ad Aures / Castopod

Unexpected removing existing groups (removing permissions for viewing podcast in admin panel)

### Viewing list of contributors in podcast causes deleting permissions Viewing list of contributors in podcast causes deleting existing rows in `auth_groups_users` table if user has more than 2 podcasts. Adding new podcast from panel by user (bug found on user admin@example.com) causes adding row to table `auth_groups_users` where user_id equal id of creator and group "podcast#1-admin". If user added two podcasts, two rows will appear in table `auth_groups_users`. ![image](/uploads/80a9532da1820e687b286ce6dc8a266f/image.png) On page `/podcast/2/contributors` you can see a list of contributors (here is another bug, i will describe it at the end): ![image](/uploads/a0af1fa12681e1130db7a6efc5c091d8/image.png) but if user will refresh page, there will be only one user on a list. After refresh, permissions are deleted and table `auth_groups_users` looks like this: ![image](/uploads/bb57aa3fc35c5656690766c3c8db3139/image.png) It is caused by line 154 in file: `modules/Auth/Helpers/auth_helper.php` https://github.com/ad-aures/castopod/blob/main/modules/Auth/Helpers/auth_helper.php#L154 Function `get_podcast_group` gets groups but.... removes groups if more than one as well. At the end, user has not permission to podcast with id 1. ### Steps to reproduce 1. Log as admin@example 2. Create two podcasts in panel 3. Go to page with a list of contributors for podcast with id 2 4. Refresh page 5. Go to podcast with id 1. -> You don't have permissions. ### Expected behavior Viewing list of podcast's contributors doesn't delete permission from table `auth_groups_users. ### Actual behavior Viewing list of contributors in podcast causes deleting existing rows in `auth_groups_users` table if user has more than 2 podcasts. ### Relevant logs and/or screenshots In description. ### Context - Castopod: branch develop - OS: windows 11 - Browser: chrome - Web server: Apache ### Possible fixes Rewrite function to getting podcast's contributors. I am not sure if it doesn't occures in some another functions. ### Another bug List of contributors for a podcast shows all rows from table auth_groups_users for a user. It occures because of "like" clause in Modules\Auth\Models\UserModel@getPodcastContributors. ``` SELECT `dev_users`.* FROM `dev_users` JOIN `dev_auth_groups_users` ON `dev_users`.`id` = `dev_auth_groups_users`.`user_id` WHERE `dev_auth_groups_users`.`group` LIKE '%podcast#1%' ESCAPE '!' ``` if podcast id equal **1** it returns also: podcast#11-admin podcast#12-admin

issue