Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission system is broken if json_decode function is not installed #3525

Closed
Kulak opened this issue Oct 20, 2015 · 9 comments

Comments

@Kulak
Copy link

commented Oct 20, 2015

TLDR: open cart implementation of json_decode function does not match standard version of function. Thus, systems that don't have it installed observe a completely broken permission system (everything is denied).

Version: 2.1.0.1 and GIT master as of October 20, 2015
Version: 2.0.3.1 works if the same installation procedure is followed.

Pre-condition: no db exists; clean directory tree.

Administrator user is unable to navigate to any admin area except for Dashboard. Administrator gets "Permission Denied" error message.

A hack in the function "hasPermission" to always return true enables all features. Web interface reports that user is a member of Administrator group.

WARNING: when editing Administrator group through web interface the web displays not a single checked checkbox. I checked all and saved changes. I verified that database content has lots of entries (see below). I reopened Administrator group in web interface and observe that not a single permission item is checked. This might be a way to troubleshoot the issue.

SQL query used to verify group permission:

select * from oc_user_group; reports:

Query result:

|             1 | Administrator | {"access":["analytics\/google_analytics","captcha\/basic_captcha","captcha\/google_captcha","catalog\/attribute","catalog\/attribute_group","catalog\/category","catalog\/download","catalog\/filter","catalog\/information","catalog\/manufacturer","catalog\/option","catalog\/product","catalog\/recurring","catalog\/review","common\/column_left","common\/filemanager","common\/menu","common\/profile","common\/sass","common\/stats","customer\/custom_field","customer\/customer","customer\/customer_group","design\/banner","design\/layout","extension\/analytics","extension\/captcha","extension\/feed","extension\/fraud","extension\/installer","extension\/modification","extension\/module","extension\/openbay","extension\/payment","extension\/shipping","extension\/total","feed\/google_base","feed\/google_sitemap","feed\/openbaypro","fraud\/fraudlabspro","fraud\/ip","fraud\/maxmind","localisation\/country","localisation\/currency","localisation\/geo_zone","localisation\/language","localisation\/length_class","localisation\/location","localisation\/order_status","localisation\/return_action","localisation\/return_reason","localisation\/return_status","localisation\/stock_status","localisation\/tax_class","localisation\/tax_rate","localisation\/weight_class","localisation\/zone","marketing\/affiliate","marketing\/contact","marketing\/coupon","marketing\/marketing","module\/account","module\/affiliate","module\/amazon_login","module\/amazon_pay","module\/banner","module\/bestseller","module\/carousel","module\/category","module\/ebay_listing","module\/featured","module\/filter","module\/google_hangouts","module\/html","module\/information","module\/latest","module\/pp_button","module\/pp_login","module\/slideshow","module\/special","module\/store","openbay\/amazon","openbay\/amazon_listing","openbay\/amazon_product","openbay\/amazonus","openbay\/amazonus_listing","openbay\/amazonus_product","openbay\/ebay","openbay\/ebay_profile","openbay\/ebay_template","openbay\/etsy","openbay\/etsy_product","openbay\/etsy_shipping","openbay\/etsy_shop","payment\/amazon_login_pay","payment\/authorizenet_aim","payment\/authorizenet_sim","payment\/bank_transfer","payment\/bluepay_hosted","payment\/bluepay_redirect","payment\/cheque","payment\/cod","payment\/firstdata","payment\/firstdata_remote","payment\/free_checkout","payment\/g2apay","payment\/globalpay","payment\/globalpay_remote","payment\/klarna_account","payment\/klarna_invoice","payment\/liqpay","payment\/nochex","payment\/paymate","payment\/paypoint","payment\/payza","payment\/perpetual_payments","payment\/pp_express","payment\/pp_payflow","payment\/pp_payflow_iframe","payment\/pp_pro","payment\/pp_pro_iframe","payment\/pp_standard","payment\/realex","payment\/realex_remote","payment\/sagepay_direct","payment\/sagepay_server","payment\/sagepay_us","payment\/securetrading_pp","payment\/securetrading_ws","payment\/skrill","payment\/twocheckout","payment\/web_payment_software","payment\/worldpay","report\/affiliate","report\/affiliate_activity","report\/affiliate_login","report\/customer_activity","report\/customer_credit","report\/customer_login","report\/customer_online","report\/customer_order","report\/customer_reward","report\/marketing","report\/product_purchased","report\/product_viewed","report\/sale_coupon","report\/sale_order","report\/sale_return","report\/sale_shipping","report\/sale_tax","sale\/order","sale\/recurring","sale\/return","sale\/voucher","sale\/voucher_theme","setting\/setting","setting\/store","shipping\/auspost","shipping\/citylink","shipping\/fedex","shipping\/flat","shipping\/free","shipping\/item","shipping\/parcelforce_48","shipping\/pickup","shipping\/royal_mail","shipping\/ups","shipping\/usps","shipping\/weight","tool\/backup","tool\/error_log","tool\/upload","total\/coupon","total\/credit","total\/handling","total\/klarna_fee","total\/low_order_fee","total\/reward","total\/shipping","total\/sub_total","total\/tax","total\/total","total\/voucher","user\/api","user\/user","user\/user_permission"],"modify":["analytics\/google_analytics","captcha\/basic_captcha","captcha\/google_captcha","catalog\/attribute","catalog\/attribute_group","catalog\/category","catalog\/download","catalog\/filter","catalog\/information","catalog\/manufacturer","catalog\/option","catalog\/product","catalog\/recurring","catalog\/review","common\/column_left","common\/filemanager","common\/menu","common\/profile","common\/sass","common\/stats","customer\/custom_field","customer\/customer","customer\/customer_group","design\/banner","design\/layout","extension\/analytics","extension\/captcha","extension\/feed","extension\/fraud","extension\/installer","extension\/modification","extension\/module","extension\/openbay","extension\/payment","extension\/shipping","extension\/total","feed\/google_base","feed\/google_sitemap","feed\/openbaypro","fraud\/fraudlabspro","fraud\/ip","fraud\/maxmind","localisation\/country","localisation\/currency","localisation\/geo_zone","localisation\/language","localisation\/length_class","localisation\/location","localisation\/order_status","localisation\/return_action","localisation\/return_reason","localisation\/return_status","localisation\/stock_status","localisation\/tax_class","localisation\/tax_rate","localisation\/weight_class","localisation\/zone","marketing\/affiliate","marketing\/contact","marketing\/coupon","marketing\/marketing","module\/account","module\/affiliate","module\/amazon_login","module\/amazon_pay","module\/banner","module\/bestseller","module\/carousel","module\/category","module\/ebay_listing","module\/featured","module\/filter","module\/google_hangouts","module\/html","module\/information","module\/latest","module\/pp_button","module\/pp_login","module\/slideshow","module\/special","module\/store","openbay\/amazon","openbay\/amazon_listing","openbay\/amazon_product","openbay\/amazonus","openbay\/amazonus_listing","openbay\/amazonus_product","openbay\/ebay","openbay\/ebay_profile","openbay\/ebay_template","openbay\/etsy","openbay\/etsy_product","openbay\/etsy_shipping","openbay\/etsy_shop","payment\/amazon_login_pay","payment\/authorizenet_aim","payment\/authorizenet_sim","payment\/bank_transfer","payment\/bluepay_hosted","payment\/bluepay_redirect","payment\/cheque","payment\/cod","payment\/firstdata","payment\/firstdata_remote","payment\/free_checkout","payment\/g2apay","payment\/globalpay","payment\/globalpay_remote","payment\/klarna_account","payment\/klarna_invoice","payment\/liqpay","payment\/nochex","payment\/paymate","payment\/paypoint","payment\/payza","payment\/perpetual_payments","payment\/pp_express","payment\/pp_payflow","payment\/pp_payflow_iframe","payment\/pp_pro","payment\/pp_pro_iframe","payment\/pp_standard","payment\/realex","payment\/realex_remote","payment\/sagepay_direct","payment\/sagepay_server","payment\/sagepay_us","payment\/securetrading_pp","payment\/securetrading_ws","payment\/skrill","payment\/twocheckout","payment\/web_payment_software","payment\/worldpay","report\/affiliate","report\/affiliate_activity","report\/affiliate_login","report\/customer_activity","report\/customer_credit","report\/customer_login","report\/customer_online","report\/customer_order","report\/customer_reward","report\/marketing","report\/product_purchased","report\/product_viewed","report\/sale_coupon","report\/sale_order","report\/sale_return","report\/sale_shipping","report\/sale_tax","sale\/order","sale\/recurring","sale\/return","sale\/voucher","sale\/voucher_theme","setting\/setting","setting\/store","shipping\/auspost","shipping\/citylink","shipping\/fedex","shipping\/flat","shipping\/free","shipping\/item","shipping\/parcelforce_48","shipping\/pickup","shipping\/royal_mail","shipping\/ups","shipping\/usps","shipping\/weight","tool\/backup","tool\/error_log","tool\/upload","total\/coupon","total\/credit","total\/handling","total\/klarna_fee","total\/low_order_fee","total\/reward","total\/shipping","total\/sub_total","total\/tax","total\/total","total\/voucher","user\/api","user\/user","user\/user_permission"]} |

|
|

select * from oc_user
reports:

user_id: 1
user_group_id: 1

Please, note that I am an Open Cart newbie, so I may not know what you are talking about.

@Kulak

This comment has been minimized.

Copy link
Author

commented Oct 21, 2015

Reson for the issue is incorrect implementation of function json_decode in system/helper/json.php

I took content of opencast.sql file with generated content and wrote a simple PHP script to decode the content:

$json = '{"access":["analytics\\/google_analytics","captcha\\/basic_captcha",...
$obj = json_decode($json);                                                                                      |
var_dump($obj);

I got error: Fatal error: Call to undefined function json_decode()

I then copied open cart implementation into my test script and run the script.

Truncated output with opencart implementation:

object(stdClass)#1 (2) {
["access"]=>
array(185) {
  [0]=>
  string(27) "analytics\/google_analytics"
  [1]=>
  string(22) "captcha\/basic_captcha"

I then installed json package (php56-json on FreeBSD) and run the test application again with the following result:

object(stdClass)#1 (2) {
["access"]=>
array(185) {
  [0]=>
  string(26) "analytics/google_analytics"
  [1]=>
  string(21) "captcha/basic_captcha"

Note, how json package outputs a single slash separator and open cart utility outputs / as a separator.

This resulted in incorrect permissions for Administrator across the system.

I restarted php-fpm service and Permission issue went away.

Someone would have to either fix the helper function or remove it.

@Kulak Kulak changed the title Admin is Denied Permission to Edit everything on clean installation Permission system is broken on clean installation if json_decode is not installed Oct 21, 2015

@Kulak Kulak changed the title Permission system is broken on clean installation if json_decode is not installed Permission system is broken if json_decode function is not installed Oct 21, 2015

@danielkerr

This comment has been minimized.

Copy link
Contributor

commented Nov 6, 2015

then install json decode because its pretty standard.

@danielkerr

This comment has been minimized.

Copy link
Contributor

commented Nov 6, 2015

"Someone would have to either fix the helper function or remove it."

I will be the one to decide what gets removed!

@mtjhost

This comment has been minimized.

Copy link

commented Jan 3, 2016

Hi Deniel,

Thanks for the update 2.1.0.1 oc
I am getting below err and unable to use the store front and backend. Only top header is looking.

Fatal error: Call to a member function model() on a non-object in /home/store/public_html/vqmod/vqcache/vq2-admin_view_template_common_header.tpl on line 121

This type of Error again and again come up after I Click clean button in Admin > Modification page.

Please give a permanent resolution if you have.

@danielkerr

This comment has been minimized.

Copy link
Contributor

commented Jan 8, 2016

@mtjhost unfortunately i dont have time to help you. there is a contact us form on the opencart.com web site. contact my staff through there.

@danielkerr

This comment has been minimized.

Copy link
Contributor

commented Jan 8, 2016

ok your right. json extension became built in after php 5.2. opencart only runs from 5.3.

@danielkerr

This comment has been minimized.

Copy link
Contributor

commented Jan 8, 2016

not sure how you ran opencart without the json extension.

@danielkerr danielkerr closed this Jan 8, 2016

danielkerr added a commit that referenced this issue Jan 8, 2016
danielkerr added a commit that referenced this issue Jan 8, 2016
@danielkerr

This comment has been minimized.

Copy link
Contributor

commented Jan 8, 2016

ok added back and added a fix.

@Kulak

This comment has been minimized.

Copy link
Author

commented Jan 8, 2016

I am not tracking this project as a whole.

Is json going to be listed somewhere as an external dependency? It appears to me that json is not part of core PHP distribution. I am sorry if I am way off, because I don't track PHP dev world that much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.