User with no group assigned causes runtime error in spdbnav

VictorUlloa, Sun Feb 13 2022, 01:17PM

Using the RBA module, I can login with a user not yet assigned to any group.  When trying to open an app from the menu, I got runtime error:

|runtime error: [undefined array key 0]

(error 2 in line [197] of file [c:phspeedxampphtdocs_libsphpspdbnav.php]

I looked at the code and the cause is that, when retrieving the user permits, the getModuleRightsOf public function in sprba.php doesn't account for the "null" case in the select statement.  It works as long as the user and app are assigned to at least one usergroup and one appgroup.

But if the sentence does not return a data row (because either the user or the app are not assigned to any group), the function returns and empty array, thus leading to an invalid index when other modules try to access $r[0].

The workaround is really simple: I must assign a group to every user, but maybe you could add the consideration to getModuleRightsOf not return an empty array, but a "deny all" array with the values in "N", so a user with no group assigned get the "Access denied" message instead of a runtime error.

Re: User with no group assigned causes runtime error in spdbnav
administrator, Sun Feb 13 2022, 06:30PM

Thank you for your report.
Actually, if the role is not found then an empty array is returned, which is by design. This has been changed from null due to PHP8+ and the main issue here IMHO is a problem in the dbNav module. It verifies if the return is an array and if it is, it looks into it. But since the change of null -> empty array, it should test the number of elements in the array. That has been fixed.

As a patch (spdbnav component)

$rslt=$this->root->getModuleRightsOf(getSessionVar('UserNum',-1), $this->app->name);
if(is_array($rslt)) {
   if(count($rslt)!=0) {
       if($rslt[0]!==false) {
           if($rslt[0][$this->root->rba->sec_applicationgroup->access]=='Y') { $rbaaccess=true; }
           if($rslt[0][$this->root->rba->sec_applicationgroup->access]=='Y') { $rbaread=true; }
           if($rslt[0][$this->root->rba->sec_applicationgroup->access]=='Y') { $rbacreate=true; }
           if($rslt[0][$this->root->rba->sec_applicationgroup->access]=='Y') { $rbaupdate=true; }
           if($rslt[0][$this->root->rba->sec_applicationgroup->access]=='Y') { $rbadelete=true; }
      }
  }
}