#3861 closed defect (bug) (no action required)
BuddyPress Group admin functions consistently produce 403 Forbidden page errors.
Reported by: | gbellucci | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 1.5.2 |
Component: | Groups | Keywords: | |
Cc: |
Description
BuddyPress offers administrative functions for managing BuddyPress Groups. For example, changing the Group avatar, deleting a group, changing the group name, etc. Changes are implemented by submitting a form from the Group's admin page located on the front-end. For example, after changing the group name you press the "Save Changes" button.
The form contains a hidden fields for the nonce value, referrer url and the action url is typically:
/<groups-slug>/<group-slug>/admin/edit-details/
where:
<groups-slug> is the slug for groups
<group-slug> is the slug for the group.
During the submit processing, the nonce value is verified and the referrer url is validated. These two items are processed by the WordPress function: check_admin_referer()
The check_admin_referer() function is designed to call wp_verify_nonce [to verify the nonce value] and attempts to locate the string position of the admin url within the referring url string.
The admin url is returned by the function admin_url() and is typically the site url with 'wp-admin' appended. (i.e. http://www.example.com/wp-admin/).
check_admin_referer() always fails because the referring url will never contain the url returned by the admin_url() function. This results in a 403 page because Wordpress believes that the submission did not originate from an administration page. The check_admin_referer() function works correctly - the submissions did not originate from a url containing /wp-admin/, however, the function is incorrectly used in this circumstance.
As implemented, Group changes could never have worked, however, I can't find anyone complaining about it in the forums. The BuddyPress plugin should probably contain it's own function that verifies admin referrers originating from the front-end.
I have replaced my version of check_admin_referer by adding a rewritten function of the same name to my wp-config.php file. check_admin_referer is a pluggable function. Replacing the routine with one that checks the referring url differently fixes the problem.
Wordpress 3.3
BuddyPress 1.5.2
Php 5.3+
MySQL 5.0
Change History (3)
#2
in reply to:
↑ 1
@
13 years ago
- Keywords reporter-feedback removed
- Resolution set to invalid
- Status changed from new to closed
Replying to boonebgorges:
Thanks for the report.
I can't reproduce the issue, and I think that it can be traced back to a reading of check_admin_referer(). http://core.trac.wordpress.org/browser/tags/3.3/wp-includes/pluggable.php#L800
You're right about admin_url() in general. But we only compare against $adminurl (line 807) if !$result, which is to say only if $_REQUEST_wpnonce? is not set, or it doesn't pass the wp_verify_nonce() check. In BP, we should always be passing a _wpnonce along with the form submit (as you note in your report), so if you're having a problem it must be that the wp_verify_nonce() check is failing. Could you try tracing that function a bit?
After moving beyond the problem with admin url, my next roadblock was a 404 error on another admin function [Forum settings]. This time I walked through the nonce creation and subsequently walked through the nonce verify only to find that the created value didn't match the value to be verified.
After looking at the browser source I found that [big sigh] a plugin I"m using that someone wrote is also calling wp_create_nonce() but they are not providing their own nonce field name. As a result, there were two hidden controls with the name _wpnonce so you are correct, the wp_verify_nonce() check was failing.
I deactivated the plugin and commented out my check_admin_referer() and resubmitted a Group change. This time the check_admin_referer() functioned correctly and the nonce was valid - now I seem to have this error There was an error updating group details, please try again.. Now I'm off to track this problem down.
I'm sorry for not waiting before I had all my ducks in a row before writing up this defect. I am now going to fix the plugin code - and say something to the plugin author about the duplicating the _wpnonce field.
Thanks for your hard work. I marked this defect as resolved [invalid]
Thanks for the report.
I can't reproduce the issue, and I think that it can be traced back to a reading of check_admin_referer(). http://core.trac.wordpress.org/browser/tags/3.3/wp-includes/pluggable.php#L800
You're right about admin_url() in general. But we only compare against $adminurl (line 807) if !$result, which is to say only if $_REQUEST_wpnonce? is not set, or it doesn't pass the wp_verify_nonce() check. In BP, we should always be passing a _wpnonce along with the form submit (as you note in your report), so if you're having a problem it must be that the wp_verify_nonce() check is failing. Could you try tracing that function a bit?