Page 1 of 1

Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 9:00 am
by axew3
v3 iframe phpBB Wordpress template integration code
Js code of overall_footer.html:
changed:

Code: Select all

//parent.w3all_ajaxup_from_phpbb(w3appendevents);
into

Code: Select all

parent.w3all_ajaxup_from_phpbb(w3appendevents);
it was wrongly commented out, so on iframe user login/out for example, wp page not reload to update the state of the user on both cms.
This is the main little fix, but there is another too:

Also the part to add into header.html has been changed to correctly assign a var: the code seem was working fine also with this little error, by the way may some browser will not correctly process it.
Better change to the new patched code and avoid any possible issue.

Also changed into another little part, together with page-forum.php code to prevent and resolve a possible (secondary) security issue.
The secondary security issue resolved here explained:
let suppose that an admin access phpBB ACP or UCP via iframe: what happen is that phpBB by default append a sid to the URLs: so the code as was, naturally passing this string to be encoded and so pushed or passed as url to load the resource.
So, now let suppose that a mod or an admin or an user with a sid appended, copy the link on address bar, that is encoded and contain the sid, so may he is not noticed of this because can't see what really the string encoded contain, and he go to paste it elsewhere.
SO hard to reproduce and that happen, in theory only the sid should not be sufficient to gain access as another user. By the way, there are so skilled guys around you know, and could be a little mess. Fixed/resolved.

p.s the same problem (encoded url containing sid) was so coming out also on right/click/copy or open link action, if as on the very last step of v3 iframe procedure, the part of code for overall_footer.html (where indicated that right/click copy links encoded are not necessary if oveall_header.html code has been added) wasn't removed.

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 9:35 pm
by xray
I changed and commented out, now it just redirects logging out automatically!

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 9:46 pm
by axew3
but maybe it is related to the fact that you did not resolved the previous problem login/out?
Because activating the line, when the user not result logged in in phpBB, and in wordpress result logged in, then the page will reload and logout also from wordpress.
I assume that it is not working by the way the iframe integration, because still there are login problems with cookies?

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 10:19 pm
by xray
Right, the login/logout was still causing intermittent problems. Now I cannot get logged into the forums to even purge the cache. I can login to WP no problems its only when I click on the forum link and try to login there that I have the issue. If I am already logged in with WP and click the forum link (iframe mode) it will automatically logged me out of both.

I am stumped as I put the code back how it was before I added the patch code you suggested and the resulted behavior is redirect/logout

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Sat Jan 05, 2019 6:19 am
by xray
It s a localhost install or we can see online?
You take a PM?

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Sat Jan 05, 2019 8:53 am
by axew3
No PM! Problems with iframe and PM? let check ...
just sent one to you and no, no problems, but no PM by you

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Sat Jan 05, 2019 7:34 pm
by axew3
Ok xray after have been noticed about what was going on wrongly and better to report this to be clear on procedure ... he had in
phpBB ACP
under option Security settings
option: Allow "Remember Me" logins:
it was set to NO.
But this option need to be set as YES or when user login no cookie will be released, nor recognized if presented, so logout will fire on both cms: phpBB because not will recognize the eventually released on wp login by the plugin, and WordPress because no valid phpBB found.
It has been added on installation procedure.

except this,
the overall_header.html and overall_footer.html v3 JS code has been patched because it was hard for all to access ACP when iframe activated, and for several other reasons:
now the code has been changed to:
when phpBB admin ACP link clicked, new page will be opened if clicked within iframe.
when acp page, login or ACP admin, accessed via direct url, equally, it will be opened as called, external, no redirect to iframe will fire.
That will make the situation more clear and useful for all.

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Tue Jan 08, 2019 5:08 pm
by axew3
the page-forum.php forum (1.9.4) for v3 code has been patched (over last patch):
I’m go to apply something into a site and i see that there is still a little problem on code:
on this actual fix, after applied overall_header.html code, when you right/click/open new tab/window (and only on right click) to open a link like FAQ link, the code will fail because:
the code will append index.php and the url will become something like this:
https://192.168.1.5/forum/app.php/help/faq/index.php
and with index.php appended in this kind of url phpBB will answer page not found.
To avoid this (maybe this code can be better but actually work without big changes) the code should be changed into this:

Code: Select all

if( strlen($w3all_url_to_cms) == strlen(get_option( 'w3all_url_to_cms' )) OR strlen($w3all_url_to_cms) == strlen(get_option( 'w3all_url_to_cms' )) + 1 )
{
// Fix by @tlagren
// bug -> https://wordpress.org/support/topic/problem-using-iframe-feature-with-https/
$w3all_url_to_cms .= (substr($w3all_url_to_cms, -1) == '/' ? '' : '/index.php');
}
now should be any kind of passed url compatible and when FAQ like (app) links passed, or SEO url passed, the result will be fine. The fix has been committed on repo for the file page-forum.php