[buddypress-trac] [BuddyPress] #3861: BuddyPress Group admin functions consistently produce 403 Forbidden page errors.

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Fri Dec 16 18:38:31 UTC 2011 

#3861: BuddyPress Group admin functions consistently produce 403 Forbidden page
errors.
--------------------------+------------------------------
 Reporter:  gbellucci     |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Groups        |     Version:  1.5.2
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |
--------------------------+------------------------------
Changes (by gbellucci):

 * keywords:  reporter-feedback =>
 * status:  new => closed
 * resolution:   => invalid


Comment:

 Replying to [comment:1 boonebgorges]:
 > Thanks for the report.
 >
 > I can't reproduce the issue, and I think that it can be traced back to a
 reading of check_admin_referer().
 http://core.trac.wordpress.org/browser/tags/3.3/wp-
 includes/pluggable.php#L800
 >
 > You're right about admin_url() in general. But we only compare against
 $adminurl (line 807) if !$result, which is to say only if
 $_REQUEST['_wpnonce'] is not set, or it doesn't pass the wp_verify_nonce()
 check. In BP, we should always be passing a _wpnonce along with the form
 submit (as you note in your report), so if you're having a problem it must
 be that the wp_verify_nonce() check is failing. Could you try tracing that
 function a bit?
 -----------
 After moving beyond the problem with admin url, my next roadblock was a
 404 error on another admin function [Forum settings]. This time I walked
 through the nonce creation and subsequently  walked through the nonce
 verify only to find that the created value didn't match the value to be
 verified.

 After looking at the browser source I found that [big sigh] a plugin I"m
 using that someone wrote is also calling wp_create_nonce() but they are
 not providing their own nonce field name. As a result, there were two
 hidden controls with the name '''_wpnonce''' so you are correct, the
 '''wp_verify_nonce()''' check was failing.

 I deactivated the plugin and commented out my check_admin_referer() and
 resubmitted a Group change. This time the check_admin_referer() functioned
 correctly and the nonce was valid - now I seem to have this error '''There
 was an error updating group details, please try again.'''. Now I'm off to
 track this problem down.

 I'm sorry for not waiting before I had all my ducks in a row before
 writing up this defect. I am now going to fix the plugin code - and say
 something to the plugin author about the duplicating the _wpnonce field.

 Thanks for your hard work. I marked this defect as resolved [invalid]

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/3861#comment:2>
BuddyPress <http://buddypress.org/>
BuddyPress

More information about the buddypress-trac mailing list