Support » Plugin: IP Geo Block » incompatible with Awesome Support plugin

  • Resolved baldzius

    (@baldzius)


    Hi,

    Your plugin is really great, nicely done.
    I noticed that I can’t get it working with Awesome support plugin https://wordpress.org/plugins/awesome-support/ . Eventually to get it working I had to disable “Prevent malicious file upload”. Checked mime types and files extensions and all were fine but still was causing me issues.
    Mentioning just in case if somebody has same issue. Not sure if this can be fixed.

    Thanks,
    Aldas

Viewing 15 replies - 1 through 15 (of 28 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Aldas,

    Thank you for your reporting the issue.

    Checked mime types and files extensions and all were fine but still was causing me issues.

    I’m afraid to say I can’t recognize what issue you have. But I guess that you can’t find some mime types in IPGB which you can find in Awesome Support.

    IPGB uses the WordPress standard function wp_get_mime_types() and the filter hook upload_mimes.

    So if developers follow those standards, then none of compatibility issue are there. But I know many developers who build a something like uploader doesn’t follow the WP standards. That’s why I provide “Blacklist of forbidden file extensions” so that users can set their original file extensions through the UI of IPGB.

    As for another solution, you can put the following snippet into your theme’s functions.php:

    function my_custom_mime_types( $mimes ) {
        // New allowed mime types.
        $mimes['zip'] = 'application/zip';
    
        return $mimes;
    }
    add_filter( 'upload_mimes', 'my_custom_mime_types' );

    The list of mime types in https://developer.mozilla.org/en/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Complete_list_of_MIME_types may help you.

    By the way, you can find bunch of vulnerabilities in https://wpvulndb.com/search?text=upload . So I don’t recommend to allow .zip, svg, xls and more because those files can include executable files, codes and macros.

    I hope this helps you. But if my guessing does not fit to your issue, please let me know.

    Thanks.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Aldas,

    I’ve tested Awesome Support plugin and now I can recognize what was your issue. IPGB would block the upload request from AS. This blocking was caused by a bug of IPGB. While AS handles multiple file uploading, IPGB could not handle one.

    Now I put the fixed version at https://github.com/tokkonopapa/WordPress-IP-Geo-Block/archive/3.0.3.5.zip . So would you test it?

    1. Deactivate IPGB.
    2. Download the above zip file and unzip it.
    3. Upload ip-geo-block folder in unzipped folder to your /wp-content/plugins/. You can over write existing one in your server. Please do not upload other files such as test, .gitignore and so on.
    4. Activate IPGB again.

    As for upload_mimes filter hook, AS handles it but restrict only for AS. It might be due to the security reason. So you can not still synchronize mime types with AS and IPGB automatically.

    Anyway, I’d appreciate you if you check the fixed version.
    Thanks.

    P.S. Please use the latest version of AS because of http://www.vapidlabs.com/wp/wp_advisory.php?v=83 .

    Hi tokkonopapa,

    Thank you for such a detailed explanation. You are amazing.
    I have tried your new version but still seem to have same issue. I can’t submit new tickets and I am not using attachments at all.
    The only thing I could do is to force ticket from closed to open and that was all.
    If you think it’s not worth the bother I just disable upload setting in IPGB.
    Highly appreciate your help.

    Thanks,
    Aldas

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Aldas,

    If you think it’s not worth the bother I just disable upload setting in IPGB.

    Please do not mind about that. I’d like to solve your issue and improve my plugin. So I really appreciate your cooperation.

    I can’t submit new tickets and I am not using attachments at all.

    Sorry about that. As I’m not familiar with AS, could you tell me the procedure so that I can reproduce the issue? Can I reproduce your issue when I’m logged in as an admin?

    If so I can open a ticket.

    test ticket

    But when I logged in as another account (privilege is a subscriber), I can not open a ticket.

    can not submit a ticket

    How can I test this issue?

    Thanks.

    • This reply was modified 2 years, 3 months ago by  tokkonopapa. Reason: correct privilege as subscriber

    Hi,
    Assign your user to Support User (wpas_user) role or make role to have identical permissions as Support User role. Let me know if you still have issues with it.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Aldas,

    Thank you for the info! I successfully setup the user “guest” as “Support User”, and found the cause of this issue.

    IPGB checks the user’s capability upload_files by current_user_can() when any files are uploaded. But AS sets the capability of wpas_user as attach_files as follows:

    WP_Role Object
    (
        [name] => wpas_user
        [capabilities] => Array
            (
                [read] => 1
                [level_0] => 1
                [read_private_sunshine_galleries] => 1
                [edit_others_posts] => 1
                [view_ticket] => 1
                [create_ticket] => 1
                [close_ticket] => 1
                [reply_ticket] => 1
                [attach_files] => 1
            )
    
    )

    The issue is the capability attach_files is not WP standard. It should be upload_files which you can find in Roles and Capabilities.

    Of course, AS can set its original capability. But I think the same meaning should be the same name. For example, edit_others_posts is also defined as WP standard.

    I hope you to report this issue at AS support forum.

    As for me, I’ll consider to some code snippet to make IPGB and AS compatible. Please give me for some time.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi there,

    When you add the following code into your theme’s functions.php, this issue will be solved:

    function allow_wpas_user_uploads() {
    	$contributor = get_role( 'wpas_user' );
    	$contributor->add_cap( 'upload_files' );
    }
    allow_wpas_user_uploads();

    Please refer to https://codex.wordpress.org/Function_Reference/get_role .

    Support User ticket

    Please try it!

    The functions.php snippet is no good for me as I need different roles. I am not surprised that AS could actually be a culprit.

    I hope you to report this issue at AS support forum.

    I think it would be better if you could report it if you don’t mind because you can then engage with plugin’s dev directly. Myself I will be just lost in code.

    Frankly I am not sure if it worth the hassle. AS doesn’t seem to be written in accordance to good practice and I really don’t you to spend too much time on it. Maybe it’s worth just mention that this AS plugin has some issues and just leave it that? I think for now I just disable upload validation, not a critical thing for me.
    You are very passionate and dedicated individual and I appreciate all you did for me a lot. Just please let me know if you think there is hope in fixing this but I think it actually must come from AS side.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Dear Aldas,

    Thank you for your concern about me.

    I think it would be better if you could report it if you don’t mind because you can then engage with plugin’s dev directly.

    Before doing that, I was thinking how I could design the handling of file upload from the security point of view if I were a developer of AS.

    … but I think it actually must come from AS side.

    Basically I agree. For example, you can add svg via “Ticket -> Settings -> File Upload -> Allowed Files Types”, but Support User (wpas_user) can not upload any SVG file because AS utilizes the core function to handle it. This means the role is different but the capability is almost same as one in core. I think this is another issue. (See https://www.bjornjohansen.no/svg-in-wordpress)

    Anyway, I decided to add a new filter hook ip-geo-block-upload-capability into IPGB because:

    1. In general, deigning uploading file safely is very difficult (see https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/), even a gif (see http://www.thinkfu.com/blog/gifjavascript-polyglots) or a png (see http://tunnelshade.in/blog/2015/06/stegosploit-fun/). So every developer should have their security policy according to their aim of applications.
    2. I might have the similar issues with other plugins or themes besides AS.

    Now you can put the following snippet into your theme’s functions.php.

    function allow_wpas_user_uploads( $capability = FALSE ) {
        if ( $user = wp_get_current_user() ) {
            foreach ( $user->roles as $role ) {
                $role = get_role( $role );
                if ( $role->has_cap( 'attach_files' ) ) {
                    return TRUE;
                }
            }
        }
    
        return $capability;
    }
    add_filter( 'ip-geo-block-upload-capability', 'allow_wpas_user_uploads' );

    The above code focuses only the capability attach_files and does not add upload_files. So you can use it safely with any user role.

    I updated the release candidate 3.0.3.5 same as in this previous thread. I hope you to try it.

    Although once I close this topic, please feel free to post anything you need at any time.

    Thanks my friend!

    not sure what’s going on but it still doesn’t work. I have added a hook you pasted and upgraded to new rc version.
    Could you try on some random user role which has same permissions as wpas_user?

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @baldzius,

    Sorry about that.

    I installed User Role Editor plugin and made a new role “Sample Role” that is a copy of “Support User”, then apply to the account “guest”.

    Everything works fine.

    Sample Role for guest

    Does you role have the capability attach_files?

    yes it does. Is there anything else I should look at? do you think it could be related to cache?

    Plugin Author tokkonopapa

    (@tokkonopapa)

    I think you configure your cache as no caching for logged-in user, right?

    I exactly downloaded rc version from this thread and copied snippet in this thread into my child theme’s functions.php.

    Hum…

    I think we need debug. Can you put the following snippet into your wp-config.php ? (See https://codex.wordpress.org/Debugging_in_WordPress)

    define( 'WP_DEBUG', true );
    if ( WP_DEBUG ) {
        define( 'WP_DEBUG_LOG', true );
        define( 'WP_DEBUG_DISPLAY', false );
        @ini_set( 'display_errors', 0 );
    }

    Then I made a debug version which embed error_log() to show some info. into your /wp-content/debug.log.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    I made a gist of “class-ip-geo-block.php” at https://gist.github.com/tokkonopapa/6b760352c3938eb233871a512d89f83b

    So please download it from “Dowload ZIP” button. After unzip, upload “class-ip-geo-block.php” into /wp-content/plugins/ip-geo-block/classes/. I think overwriting is OK.

    When you attach some files in your ticket, /wp-content/debug.log seems like this:

    [13-Aug-2017 18:43:11 UTC] WP_Role Object
    (
        [name] => samplerole
        [capabilities] => Array
            (
                [read] => 1
                [level_0] => 1
                [read_private_sunshine_galleries] => 1
                [edit_others_posts] => 1
                [view_ticket] => 1
                [create_ticket] => 1
                [close_ticket] => 1
                [reply_ticket] => 1
                [attach_files] => 1
            )
    
    )
    
    [13-Aug-2017 18:43:11 UTC] before apply_filter: 
    [13-Aug-2017 18:43:11 UTC] after  apply_filter: 1

    Sorry but my time is almost mid night. So I’ll follow up this issue on tomorrow.

    Thanks a lot. Just what I thought. It works if I reply to ticket with attachment but doesn’t if there is no attachment. Can you replicate?
    Debug output is same when it works or not:

    (
    [name] => subscriber
    [capabilities] => Array
    (
    [attach_files] => 1
    [close_ticket] => 1
    [create_ticket] => 1
    [level_0] => 1
    [read] => 1
    [reply_ticket] => 1
    [view_ticket] => 1
    )

    )

Viewing 15 replies - 1 through 15 (of 28 total)
  • The topic ‘incompatible with Awesome Support plugin’ is closed to new replies.