FreakAuth_light 1.1 bug?

[eluser]Unknown[/eluser]
Hi

Having installed FreakAuth_light 1.1 and enabled user profiles, I have a problem! As admin, if I edit a record, when I hit "Save" I get a database error. The precise error is:

Code:

A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

SELECT * FROM (`fa_user`) WHERE `id` =

From my digging, this seems to be coming from application/controllers/admin/users.php and in particular the first line of function edit($id = '') which says:

Code:

function edit($id = '')
    {

        // security check:
        // admins or superadmins cannot be edited in the users controller
        $edited_role = getUserPropertyFromId($id, 'role');
        $allowed = ($edited_role != 'admin' AND $edited_role != 'superadmin');
        if (!$allowed) $this->freakauth_light->denyAccess(getUserProperty('role'));

The problem seems to be that the $id is not getting passed to the function by the edit form (and is being explicitly blanked by the function declaration), resulting in the security check failing - getUserPropertyFromId causes the database error as the WHERE clause in the query has nothing for $id.

Tracking this back, I've found application/views/FreakAuth_light/template_admin/users/edit.php and in particular the form open statement:

Code:

<?=form_open('admin/users/edit/')?>

By changing this to:

Code:

<?=form_open('admin/users/edit/' . (isset($user['id']) ? $user['id'] : $this->fal_validation->{'id'}))?>

I can make the problem go away (i.e. I can edit users), but I'm a bit concerned that (a) this seems like a big problem that surely somebody would have seen before if it was "real", and (b) am I opening up other problems later?

Apart from that, great work, well done and thank you!

[eluser]Gewa[/eluser]
SELECT * FROM (`fa_user`) WHERE `id` =


try to change the above code with

SELECT * FROM `fa_user` WHERE `id` =

[eluser]MCrittenden[/eluser]
I had the same error on three separate installs on different servers and I thought I was crazy. Thanks for the fix!

[eluser]Unknown[/eluser]
Hi there. I have the same problem, but after applying your part of code, when I'm trying to edit an admin a error message pops up: 'You do not have the credentials to access this reserved area.'. And I am logged as a superadmin, so i guess something's still wrong..
Best wishes, wteq

[eluser]Unknown[/eluser]
[quote author="wteq" date="1212603762"]Hi there. I have the same problem, but after applying your part of code, when I'm trying to edit an admin a error message pops up: 'You do not have the credentials to access this reserved area.'. And I am logged as a superadmin, so i guess something's still wrong..
Best wishes, wteq[/quote]

Hi,
try to change this line (controllers/admin/users.php line 345):

Code:

$allowed = ($edited_role != 'admin' AND $edited_role != 'superadmin');

to

Code:

$allowed = ($edited_role != 'admin' OR $edited_role != 'superadmin');

I hope this helps, it worked for me.

[eluser]Chris Williams[/eluser]
[quote author="Gewa" date="1211897717"]SELECT * FROM (`fa_user`) WHERE `id` =

try to change the above code with

SELECT * FROM `fa_user` WHERE `id` =[/quote]

Where would this edit be made?

[eluser]Grahack[/eluser]
@ skwdenyer
Thanks for fixing this. a) It's a real bug I think I've faced once. b) Future will tell, but I guess no.

@ Gewa & Chris Williams
This query is made with Active Record, you won't be able to change the sql without touching the db driver. Anyway to me the problem is related to the emptyness after '='.

@ wteq & akidur
You shouldn't access admins edition through the admin/users controller. That's why I think you accessed the form tweaking the url. Did you?

[eluser]Asinox[/eluser]
Thanks for fix

[eluser]Jamongkad[/eluser]
I had the same exact problem as skwdenyer. Now when I finished the required fixes a whole can of worms have opened up. Errors such as I can't edit Admins as a Super Admin. Grahack you mentioned that we should not access admins edition through the admin/users controller. I agree but what fix do you propose?