Jump to content

Bug regarding ACP links?


maxkunes

Recommended Posts

Posted

Recently I found myself using $ipsMember->acpUrl() to retrieve a url to the users profile in the acp, this works as one would expect, it returns some internal routing link to the users profile, atleast in theory.

It produced a URL like this for example, but something wasn't working when I click the link from a page on my site, it was redirecting me to the members list in the adminCP, rather than the actual member profile in the adminCP  : 

https://www.site.net/index.php?app=core&module=system&controller=redirect&do=admin&_data=YXBwPWNvcmUmbW9kdWxlPW1lbWJlcnMmY29udHJvbGxlcj1tZW1iZXJzJmRvPXZpZXcmaWQ9NjIwMw==

Doing a little investigative work, we can see that the data is base64 encoded and produces this result

app=core&module=members&controller=members&do=view&id=6203

 

This seems ok and if I manually go press click a user profile in the admin CP I get a similar link, note the do=view portion.

This issue is that when I click that link, it automatically prompts me to log into my adminCP, which I am already logged into, and after I do this, that link on my browser resolves here : 

https://www.site.net/admin/?adsess=redactedForSecurity&app=core&module=members&controller=members&id=6203

Notice the lack of the do=view get parameter.

 

Because of this, I get only to the members list in the admin cp, rather than the actual member, clearly some data is being lost on a session switch of some kind.

 

 

I don't know if this is the right place to post this, but I bet someone here has some idea of what I'm doing wrong/ what is going on. I'm guessing that ACP link is not supposed to be clicked from the forum, and some session is glitching out or something, but I can't be sure.

 

 

 

 

Posted

Unfortunately, this is done intentionally at this time because if certain data is lost (e.g. post data) you can cause some serious harm visiting certain links in the AdminCP. We have seen users get logged out before this and then log back in, and then they're sent to a deletion URL without an id in the URL and get an error, or similar, and this was undesirable behavior.

In short, do= parts of the URL are stripped on purpose when you have to login.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...