PROBLEM:
In file add_forum.php there is a line which checks permissions.
It is line 12 in the book.
Code:
if (~$user->permission & User::CREATE_FORUM)
The negation of $user->permission (~$user->permission) is not
working properly.
By default, when a user registers, they have no privilege to add forums.
I can register a user, and that user can login and
start adding forums. This is not correct. That user should get
the message "Sorry, you do not have sufficient privileges to create
new forums."
(I realize the program is designed to come in from view.php, and
in view.php it does a check for $user->permission, so you have to
pass that before you even come here, but still the ~$user->permission
is an incorrect value here. For testing purposes,
I have a link the comes straight here to add_forum.php)
SOLUTION:
I was able to solve the problem by casting $user->permission as an int
So the line reads
Code:
if (~ (int) $user->permission & User::CREATE_FORUM)
This solved the problem.
DEBUGGING and DETAILS
I verified that I was at least working with the correct
user object that was being returned from this line
in add_forum.php (correct uid, username, etc)
$user = User::getById($_SESSION['userId']);
debugging steps to test the permission problem.
1. I put a print right after getById. This way we
can see if user->permission is getting set correctly,
and see if ~$user->permission is correct
2. I tried setting different permission values. These are set in file
User.php, function __construct, around line 20 in the book, the line
Code:
'permission' => 0);
3. Foreach time you set a new value,
register a new user, then click your add_forum link and
check the value of $user->permission and ~$user->permission.
For all cases, $user->permission would always be correct
For all cases, ~$user->permission would never be correct;
here are the incorrect values for a few cases
basically prints garbage in decimal and 0 in hex
permission prints in decimal prints in hex
0 Idiaeresis 0
3 (0011) Igrave 0
13 (1101) Icircumflex Igrave 0
15 (1111) Icircumflex Egrave 0
debugging to test in a different way
NOW, simply hardcode the permission value in
add_forum.php somewhere after the call to getById.
In other words you are overriding the value returned by getById.
For example,
Code:
$user->permission = 0;
(play around and
set it to different values)
In this case, ~$user->permission always has the correct value.
SO, this appears to have something to do with the user object returned
from the database by getById.
CONFIGURATION.
mysq: version 4.1.22
On the phpMyAdmain section under user table is has
Field: PERMISSION
Type: int(10)
Collation:
Attributes: unsigned
Null: no
Default: 0
Note: When I started, I altered the USER table just like the book
says on page 32.
Code:
ADD PERMISSION INTEGER UNSIGNED NOT NULL DEFAULT 0
Comment: This may have something to do with the type being int(10)
because user_id is also int(10) and just for kicks I tried negating
that in add_forum.php and it gave wrong results too.
running on unix: FreeBSD 4.10-RELEASE #10
> php -version
PHP 5.2.6 (cli) (built: Feb 26 2009 08:23:11)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
>