search

meeting-room-booking-system / mrbs-code

MRBS application code
Other
124 stars 61 forks source link

Access Denied #1334

Open jberanek opened 10 years ago

jberanek commented 10 years ago

Just upgraded Windows server and getting Access Denied when trying to get into any admin pages. Authentication is working, only admins are seeing the admin stuff, but when they go to try to edit something they can't view the pages. The databases and files were cloned from old server.

Running variable dump I see the users name going through and shows them with admin rights. Little lost here. Any ideas?

Reported by: djmceltic

Original Ticket: mrbs/support-requests/601

jberanek commented 10 years ago

Also all of our bookings (thousands) and everything else are showing just fine. Nothing was touched other than me changing the URL in the config settings.

Original comment by: djmceltic

jberanek commented 10 years ago

Even messed with my rights (we have 4 levels) and I see the edit icons when I have the right rights and don't see them when I take them away.

Original comment by: djmceltic

jberanek commented 10 years ago

It could be that your PHP sessions aren't working properly. You could test this by changing your session scheme by setting

$auth["session"] = "cookie";

in your config file. If everything works OK then go back to using "php" sessions and figure out why they aren't working. Check the session settings in your php.ini file. In particular make sure that your session temp directory is writable.

Original comment by: campbell-m

jberanek commented 10 years ago

OK... Well I figured it out and it was part dumb mistake and part just totally not understanding MRBS rules. But I will put results here in case it helps anyone in future.

So I have a SSO and I use the session hosts config because quite frankly it is the easiest way to do it. Make your session user equal to remotehostname and boom we have authentication.

Now we have been using MRBS for years and I never realized that we were keeping user authentication with session and no cookie present. For some reason when I brought new server up I saw my user logged in but with incorrect rights. So then I did what I have taught myself not to do when troubleshooting - make a config change. So I changed $auth["type"] = "none"; - I was also having a site/SSO looping issue and bam this fixed that.

Well when I did that I had no idea that MRBS would no longer be using the database user table. I just thought this meant it required no password. And since I have SSO I thought that this was the correct choice... wrong. By moving away from $auth["type"] = "db"; MRBS was not equating any of my rights to my user id (we use user id for $user).

So I learned two lessons... MRBS uses php sessions really well. And the "db" auth isn't just for passwords, it is more importantly for using the users table.

Original comment by: djmceltic