W.W.W Posted September 16, 2016 Posted September 16, 2016 Can you add so you need to reply to thread to view links?
Joel R Posted January 4, 2017 Posted January 4, 2017 Hi @Tom Irons I wanted to let you know there's a potential bug in your plugin "Clear Notifications" that triggered a whole mess of system errors on my community \IPS\Member::loggedIn() returns a guest object Another third-party developer kindly suggested you use the following code to stop the error: public function clearNotifications() { /* Clear the users notifications */ if( \IPS\Member::loggedIn()->member_id ){ \IPS\Db::i()->delete( 'core_notifications', 'member=' . \IPS\Member::loggedIn()->member_id ); } \IPS\Output::i()->redirect( \IPS\Http\Url::internal( NULL ), 'ClearNotifications_complete' ); } Hope this helps
Joel R Posted January 8, 2017 Posted January 8, 2017 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1 DELETE FROM `core_notifications` WHERE member= | File | Function | Line No. | |----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------| | /system/Db/Db.php | [IPS\Db\_Exception].__construct | 393 | '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------' | /system/Db/Db.php | [IPS\_Db].preparedQuery | 946 | '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------' | /init.php(443) : eval()'d code | [IPS\_Db].delete | 10 | '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------' | | [IPS\core\modules\front\system\hook1313].clearNotifications | | '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------' | /system/Dispatcher/Controller.php | [].call_user_func | 85 | '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------' | /system/Dispatcher/Dispatcher.php | [IPS\Dispatcher\_Controller].execute | 129 | '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------' | /index.php | [IPS\_Dispatcher].run | 15 | '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------' #0 /home/nginx/domains/mywebsite.com/public/init.php(507): IPS\_Log::log('DELETE FROM `co...', 'uncaught_except...') #1 [internal function]: IPS\IPS::exceptionHandler(Object(IPS\Db\Exception)) #2 {main}
IPBSkins Posted January 12, 2017 Posted January 12, 2017 It is not so much a bug as CSRF vulnerability. No checking CSRF key. Thus malitious user may in some way to follow the link and delete all user notifications. We created a similar plugin without reloading the page on Ajax http://ipbskins.ru/forum/files/file/341-siv41-delete-all-notifications/ Uplaod to the marketplace, but for some unknown reason the file is not approved..
Tom Irons Posted January 13, 2017 Author Posted January 13, 2017 I don't think there is anyway someone can maliciously delete someone's notifications. It checks to see if the user is logged in and if they are it will only remove their notifications. I would assume it wasn't approved cause mine is already on the marketplace. Why would they want more than one plugin to do the same thing?
IPBSkins Posted January 16, 2017 Posted January 16, 2017 On 13 января 2017 г. at 6:50 AM, Tom Irons said: I don't think there is anyway someone can maliciously delete someone's notifications. It checks to see if the user is logged in and if they are it will only remove their notifications. What will happen if you go directly to the link? Will be removed the notification of the current user. That is, one way or another, can call the address and run the function of the current user without verifying that the request came from him. For example posting the directly link, shortened link or dynamic image. You don't check CSRF key and it is in this case is a potential vulnerability (see cross site request forgery attack). Suppose that in this case a small, but if it came to the removal of personal correspondence? This is serious.
Tom Irons Posted January 16, 2017 Author Posted January 16, 2017 I added CSRF protection into the plugin and updated it. If there's anything else you'd like to see added into the plugin let me know.
Tom Irons Posted January 16, 2017 Author Posted January 16, 2017 Just now, sweethoney said: dont work for me I need more information than just that... are you receiving an error?
sweethoney Posted January 17, 2017 Posted January 17, 2017 ill let you no latter im running some test i got it 2 work it was confecting with a plugin i had
Subseven Posted March 20, 2017 Posted March 20, 2017 I installed it and it worked fine in the latest IPB. Than a couple days later it don't work. Any ideas?
Subseven Posted March 23, 2017 Posted March 23, 2017 Uninstalling until we get an update. Worked at first.
Simon Woods Posted August 4, 2017 Posted August 4, 2017 Hi, I was wondering if this will need an update for 4.2, and if so will it be provided?
Tom Irons Posted August 7, 2017 Author Posted August 7, 2017 On 8/4/2017 at 0:58 PM, Simon Woods said: Hi, I was wondering if this will need an update for 4.2, and if so will it be provided? This plugin still works and doesn't need an update for 4.2.x.
WJWM Posted August 11, 2017 Posted August 11, 2017 We've noticed a problem with 1.01 on our forum (v. 4.2.2) when using computer or iPad. When clicking Clear notifications in the 'View all notifications' list an alert appears as below, whereas when clicking Clear notifications on the Notifications popup the feature works as it should.
Tom Irons Posted August 16, 2017 Author Posted August 16, 2017 I'll take a look at that when I can, are there any errors in the logs related to the plugin? Thanks!
Simon Woods Posted August 16, 2017 Posted August 16, 2017 I get the same problem, with no errors logged. It's at this URL: https://SITE-URL/index.php?app=core&module=system&controller=plugins&do=clearNotifications
Tom Irons Posted August 18, 2017 Author Posted August 18, 2017 Disable the plugin for now, and I'll try to take a look this weekend.
Tom Irons Posted August 21, 2017 Author Posted August 21, 2017 It's because the CSRF token isn't being added into the url. Do you have friendly urls enabled or disabled?
Simon Woods Posted August 21, 2017 Posted August 21, 2017 8 hours ago, Tom Irons said: It's because the CSRF token isn't being added into the url. Do you have friendly urls enabled or disabled? Enabled.
Tom Irons Posted August 21, 2017 Author Posted August 21, 2017 @Simon Woods if you hover over the clear link, does it have a csrf parameter?
Simon Woods Posted August 21, 2017 Posted August 21, 2017 33 minutes ago, Tom Irons said: @Simon Woods if you hover over the clear link, does it have a csrf parameter? Nope, not on the notifications page. However, it does in the menu.
Tom Irons Posted August 21, 2017 Author Posted August 21, 2017 That would explain it, sorry about that. I'll have an update for the plugin soon.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.