RSS

LuxCal Forum

The place for questions, suggestions and news about the LuxCal Event Calendar

User:   Password:   Remember Me?   
LuxCal Forum / General / Problems / Ver 4.10L - Public view can edit events
Posted:  27 Feb 2015 21:36   Last Edited By: wgcal
Dear friends,

Thank you for a most attractive, easy to use website calendar.  However, I have just installed 4.10L and am having a problem. 

When a user is not logged in (public view), it is possible to edit or delete an event. 

Click on the event to view it.  No editing functions are available, only the Close button is displayed, as one would expect. 

Then, close that event viewing window. 

Click on the event again.  Now, all of the editing functions are available.

I have confirmed that events can be edited and deleted in this way, without logging in.

I am using Seamonkey 2.15.2 browser. 

I have noted the same problem with Midori 0.2.2, and with Android Mobile browsers Lightning 3.1.1a and Firefox 32.0.3. 

Can you suggest what I might have done wrong in the installation?

Thank you for your time.
Posted:  28 Feb 2015 18:30
Hi there,

I don't know if you did something wrong. I've not seen this before.
Could you please send me the URL of your calendar, via the Contact Us page if you prefer, so that I can try this out myself and further analyze the problem.
Roel
Posted:  28 Feb 2015 18:48
I've discovered some other strange (perhaps related) behavior.with regard to permissions.

1. If no one is logged in (public view), and you refresh the calendar page after each time you view an entry, the entries remain read-only, as they should. 

However, if you view ANY entry by anyone, close it, then view it again without refreshing the calendar page between views, you will have full editing privileges, even though the calendar page still says Public View at the top right.

2. Users in the group "post own" can edit or delete the entries of all other users, even the administrator. This does not even require the second viewing of the event entry. 

This is because ...

3. If a logged in user views an event created by another user, his user ID changes to that of the user who created the event he has viewed.

For example, if user "Joe" is logged in and views an event entered by "Jane," Joe *becomes* Jane.  That is, his user ID is changed to Jane's. 

This can be seen when one refreshes the calendar page in the browser, or adds a new calendar entry : the new entry will be in the ID of the user whose entry was just viewed, not the ID under which the user logged in.

This of course means that by viewing an entry of the administrator, an ordinary user can become the administrator, with all of the administrator's rights.  This is not desirable ...

I cannot imagine what I might have done to cause this problem.  I hope you can help!
Posted:  01 Mar 2015 10:05   Last Edited By: Roel B.
The solution to this problem was to configure the server to use a later version of PHP. 

With my shared hosting account, this is done by using Cpanel.  It's found in "PHP Configuration."

Although under requirements the installation guide says "The web server should be able to run PHP-scripts (PHP 5.1 or higher)," it appears that PHP version 5.2 was not compatible with Luxcal 4.1.0L.  The problem disappeared when I changed the version of PHP in use from 5.2 to 5.4.

Thanks to Roel for making available this outstanding calendar!

Note by Roel:
========
The problem is not PHP 5.2, but the fact that - in the above case - in the PHP 5.2 installation the provider has enabled the "register globals" feature. Register globals are deprecated as of PHP 5.3 and as of PHP 5.4 this feature has been removed altogether. Since very few providers still have register globals enabled in PHP versions < 5.4, only very few LuxCal users have this problem.
So, if you are using a PHP version < 5.4, take care that the "register globals" feature is disabled.
Roel