View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0016706mantisbtplug-inspublic2013-12-16 18:222014-02-07 18:24
Reporteraavagyan Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016706: Plugin pages can be accessed directly when schema upgrade is needed
Description

Case:

  • Plugin is updated
  • Plugin schema also need to be updated, but is not done yet

Problem:

Plugin's pages can still be accessed directly if URLs are know, and, naturally, errors are output as plugin configuration (or resources, etc.) is not available (because plugin is not 'available' yet) to these pages.

Steps To Reproduce

Change plugin values (any plugin, which requires DB tables) in mantis_config_table to trigger state when plugin is waiting for schema update. Try accessing plugin pages by direct URLs.

TagsNo tags attached.
Attached Files
fix-16706.patch (1,823 bytes)    
diff --git a/core/constant_inc.php b/core/constant_inc.php
index 1861f69..e4ec709 100644
--- a/core/constant_inc.php
+++ b/core/constant_inc.php
@@ -372,6 +372,7 @@ define( 'ERROR_PLUGIN_ALREADY_INSTALLED', 2501 );
 define( 'ERROR_PLUGIN_PAGE_NOT_FOUND', 2502 );
 define( 'ERROR_PLUGIN_UPGRADE_FAILED', 2503 );
 define( 'ERROR_PLUGIN_INSTALL_FAILED', 2504 );
+define( 'ERROR_PLUGIN_UPGRADE_NEEDED', 2505 );
 define( 'ERROR_PLUGIN_GENERIC', 2599 );
 
 # ERROR_COLUMNS_*
diff --git a/lang/strings_english.txt b/lang/strings_english.txt
index c14081b..d42b52e 100644
--- a/lang/strings_english.txt
+++ b/lang/strings_english.txt
@@ -291,6 +291,7 @@ $MANTIS_ERROR[ERROR_PLUGIN_ALREADY_INSTALLED] = 'Plugin is already installed.';
 $MANTIS_ERROR[ERROR_PLUGIN_PAGE_NOT_FOUND] = 'Plugin page not found.';
 $MANTIS_ERROR[ERROR_PLUGIN_INSTALL_FAILED] = 'Plugin installation failed: %1$s.';
 $MANTIS_ERROR[ERROR_PLUGIN_UPGRADE_FAILED] = 'Upgrading the plugin schema failed in block #%1$s.';
+$MANTIS_ERROR[ERROR_PLUGIN_UPGRADE_NEEDED] = 'The "%1$s" plugin needs to be upgraded before you can access this page.';
 $MANTIS_ERROR[ERROR_PLUGIN_GENERIC] = 'There was an unknown error "%1$s" during execution of the "%2$s" plugin.';
 $MANTIS_ERROR[ERROR_COLUMNS_DUPLICATE] = 'Field "%1$s" contains duplicate column "%2$s".';
 $MANTIS_ERROR[ERROR_COLUMNS_INVALID] = 'Field "%1$s" contains invalid field "%2$s".';
diff --git a/plugin.php b/plugin.php
index 2fc968e..5d5d94e 100644
--- a/plugin.php
+++ b/plugin.php
@@ -48,6 +48,11 @@ if ( !is_file( $t_page ) ) {
 		trigger_error( ERROR_PLUGIN_PAGE_NOT_FOUND, ERROR );
 }
 
+if( plugin_needs_upgrade( $g_plugin_cache[$t_basename] ) ) {
+	error_parameters( $t_basename );
+	trigger_error( ERROR_PLUGIN_UPGRADE_NEEDED, ERROR );
+}
+
 plugin_push_current( $t_basename );
 include( $t_page );
fix-16706.patch (1,823 bytes)   

Activities

dregad

dregad

2013-12-17 11:39

developer   ~0038868

I can't reproduce the described behavior (tried with Snippets plugin). Please be more specific instructions to replicate the problem, including the affected plugin, which page you are trying to load and the error messages you get.
aavagyan

aavagyan

2013-12-17 14:10

reporter   ~0038871

For example ManTweet (I don't have Snippet plugin installed). Do you need detailed instructions to get it to the 'upgrade needed' state?

Once in this stage to go:

http://localhost/mantis/plugin.php?page=ManTweet/index.php

I'm still able to access this page, but with bunch of errors.
aavagyan

aavagyan

2014-01-14 19:06

reporter   ~0039052

Let me provide more details.

CASE 1: Plugin is installed (registered) with MantisBT properly.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If I understand things correctly, in each plugin page something like following should be added:

access_ensure_global_level( plugin_config_get( 'access_threshold' ) );

where 'access_threshold' is set in root plugin file. This works and users with rights levels less than 'access_threshold' are getting 'access denied' error.

CASE 2: Plugin is not installed (or uninstalled).
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

All is fine and trying to use direct links to plugin pages return "Plugin is not registered with MantisBT" error.

CASE 3: Plugin is installed, but awaiting schema update.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is when the problem comes. It is possible to access plugin pages directly. Having

access_ensure_global_level( plugin_config_get( 'access_threshold' ) );

is only giving following warnings on the screen:

APPLICATION WARNING #100: Configuration option "plugin_MantisStats_access_threshold" not found.

and the rest of the script works, which is wrong.
aavagyan

aavagyan

2014-01-15 03:31

reporter   ~0039066

I found "plugin_needs_upgrade" function in Mantis's core and is able to use it to make sure plugin is ready (by means of schema readiness). Otherwise 'exit'-ing. This check is 'included' in all pages so direct calling is no more possible if plugin/schema is not ready.

I'm sorry for this noise. I've added this check to my plugin (MantisStats) and the problem is resolved. In the same time it looks like most of the available plugins have this issue unresolved.

Please close this Mantis ticket. Thank you.
dregad

dregad

2014-01-15 05:06

developer   ~0039068

I don't mind taking a look at the root cause and possibly finding and implementing a solution that would 'fix' all plugins without requiring each of them to add code on all pages, but would appreciate detailed step by step instructions to reproduce the issue using a fresh install of mantis and any publicly available plugin of your choice (yours if you like).
aavagyan

aavagyan

2014-01-15 18:11

reporter   ~0039072

Thank you for this offer. So I assume there is fresh Mantis installation made on localhost.

A. Download version 1.2.1 of my MantisStats plugin from here https://www.mantisstats.org/downloads/mantisstats-1.2.1.zip or here https://www.mantisstats.org/downloads/mantisstats-1.2.1.tar.gz. In this version my fix is not applied yet. Install the plugin.

B. Go to the plugin (click "MantisStats" link, which is under the Summary). Naturally you need to use account, which have access level $g_view_summary_threshold or above. Browse one or two reports and copy/save their URLs. For example, if you are on "By reproducibility" report, then URL will be http://localhost/plugin.php?page=MantisStats/issues_by_reproducibility

C. Now lets bring MantisStats Plugin to the "Schema upgrade needed" state. Go to the underlying database, to mantis_config_table table:

SELECT value FROM mantis_config_table WHERE config_id = 'plugin_MantisStats_schema'

Value is 2. Lets change it so it becomes 1:

UPDATE mantis_config_table SET value = 1 WHERE config_id = 'plugin_MantisStats_schema' LIMIT 1

Verify that value is now 1 using the first query from above.

D. Verify that MantisStats is no more present under the Summary menu. Verify that on "Manage" => "Manage Plugins" page MantisStats plugin is now requiring "Upgrade", but don't click it!

E. Now access http://localhost/plugin.php?page=MantisStats/issues_by_reproducibility URL. For me it is possible to access it. There are errors displayed. So, although plugin is not present in menus it is still possible to access its pages directly, with errors output.
dregad

dregad

2014-01-17 11:38

developer   ~0039077

Ok, I was able to reproduce the behavior using the provided steps.

However, FYI the report displays without any errors on my test install.
aavagyan

aavagyan

2014-01-22 18:44

reporter   ~0039142

Dear Damien,

I've fixed notices in the new release (https://www.mantisstats.org/downloads/mantisstats-1.3.2.zip, https://www.mantisstats.org/downloads/mantisstats-1.3.2.tar.gz). May you please retry with ...$g_show_detailed_errors = ON... and ...E_WARNING => 'inline', E_NOTICE => 'inline'... settings?

I'm getting "APPLICATION WARNING #100: Configuration option "plugin_MantisStats_menu_location" not found."

Even if you don't get the error above and reports are running smoothly - do you think this is the correct behavior if schema update is needed? My understanding is that in the case schema update is needed plugin pages should not be permitted to run (no matter smoothly or with errors/warnings/notices).

Thank you,
Avetis
dregad

dregad

2014-01-23 04:12

developer   ~0039145

Have not had time to test your updated version yet.

However, please have a look at attached patch it should hopefully address the issue you raised. Let me know your feedback.
aavagyan

aavagyan

2014-01-23 05:24

reporter   ~0039148

Yes, this is it, thank you. :-) I confirm your patch addresses the issue.
dregad

dregad

2014-01-23 12:26

developer   ~0039153

Pull request for peer review https://github.com/mantisbt/mantisbt/pull/112
aavagyan

aavagyan

2014-02-04 09:45

reporter   ~0039310

Thank you!

Related Changesets

MantisBT: master-1.2.x dae99d0f

2014-01-18 04:47

dregad


Details Diff		 Prevent plugin pages access when upgrade pending

If a plugin's code has been upgraded, but the schema is still on the old
version, the plugin is effectively disabled (i.e. its entry points are
not displayed). However, it was still possible to access individual
pages directly, which could lead to errors.

This commit adds an extra check in plugin.php which triggers an error
when the plugin needs to be upgraded.

Fixes 0016706		 Affected Issues
0016706
mod - plugin.php Diff File
mod - lang/strings_english.txt Diff File
mod - core/constant_inc.php Diff File

MantisBT: master 896f775f

2014-01-18 04:47

dregad


Details Diff		 Prevent plugin pages access when upgrade pending

If a plugin's code has been upgraded, but the schema is still on the old
version, the plugin is effectively disabled (i.e. its entry points are
not displayed). However, it was still possible to access individual
pages directly, which could lead to errors.

This commit adds an extra check in plugin.php which triggers an error
when the plugin needs to be upgraded.

Fixes 0016706		 Affected Issues
0016706
mod - plugin.php Diff File
mod - lang/strings_english.txt Diff File
mod - core/constant_inc.php Diff File