Dizkus

Our poll is only open to voting by registered users. Lately, I have been receiving complaints that, after selecting an answer to the question and clicking on the vote button, users are directed to a page that says 'You are not authorized to carry out this operation'. They tell me, though, that if they try to vote a second time, then it works just fine. I have tried this myself and have independently confirmed that what they are telling me is true.

What could be causing this behavior and how can I fix it?

The poll is in a left side block and I don't want to move it to a right side block as suggested in other discussions concerning this issue.

Hmmm that has always been an issue and it is sort of left out. It works fine if they are in the frontpage (index.php) but won't work if they are on any other page.



--
-James

So, what is causing this behavior and how can it be fixed?

I do not know, they may have resolved this issue in .8 which is the upcoming release...



--
-James

Thanks, Bad_Dude, for taking the time to add to this thread.

I'm hoping someone with a in-depth understaning of this issue will take the time to look into it and lead all of us to a solution. Afterall, this is not a third party module dependent on use-to-user support. Can someone involved in the development of core modules and blocks please help us??

I have seen this with useres trying to register, especially if you have the anti spam question set up.

That's interesting, but what is causing this behavior and how can it be fixed?

Maybe I'm not in the right part of this support forum. Is there another area that would be more appropriate for a guestion like mine?

I think the reason for this is mentioned below:



--
-- Teb
-- Dutch PostNuke Community

Support questions in a Personal Message will be ignored. Use the forums at all times!

Teb - that scratches the surface of the behavior, perhaps, but it doesn't resolve the issue. I would like to know what needs to be done so the poll can remain in the left side block and work as intended no matter where a user is at when they finally decide to vote. Am I making any sense? Will the Poll work from within a left side block or not?

I can't believe anyone interested or working on a community support utility like PostNuke would make a silly statement like this, "sometimes security doesn't serve usability very well". The concept of a content management system is obviously a challenge to larsneo.

Of course it should, as it already works on a great bunch of site I have seen, no matter on what block position it is in.

The answer I have given, should point you in the right direction of how to solve the problem.
Is there a second PostNuke page load after the rightblocks have been created (and thus an authid has generated, and before the leftblocks are visible)? Is there another block in the leftblocks-position that could generate an authid? Does the same error occur when you set the poll block to the top-position in the left column?

Basically, this will happen with any CMS or framework you use: once a unique authid has been used (or a second authid has been created for that module) against cross-site-request-forgery, the first one will expire. So, back-buttons in your browser also cause the use of a used and expired auth key. Maybe a link to your site would help, as I think this is not a bug, but is site-dependent.


OK, a bit of an opinion (and offtopic) from me about this one: PostNuke is not a utility, it is a framework. It is a secure basis behind a rich content site. And, in this framework, the basis is secure, so that any module author does not have to worry about this, and can think of useability instead of security. That has been so for years.

This type of security is the choice in PostNuke for years now, and has been discussed a lot of times within the development team to improve it. But a better solution has not been found as yet. So, sorry if the software does not suit everyone's needs.

If you don't like it, don't use it, or help us improve it. But please, do not point a finger to people that invest their spare time to give you a piece of software without demanding anything back. Again, this is my personal opinion.

--
-- Teb
-- Dutch PostNuke Community

Support questions in a Personal Message will be ignored. Use the forums at all times!

Teb - I do like PostNuke and that's why I am using it. In case you haven't figured it out, this entire thread is about improving it. Quit trying to throw your weight around. You are no more important than any of the rest of us. Everyone who uses PostNuke has a duty to expose stupidity. Useability trumps security every time. There is no point in having security if no one can use the site, or if everyone gets so frustrated because of security they quit using it. That is self-evident.

How can you possibly say you have seen a bunch of sites with the Poll and it works no matter what block position it is in, and then turn around and ask me if the same error occurs when I set the poll block to the top-position in the left column? You can't have it both ways, Teb. Either it functions properly in any block position or it doesn't.

It seems this issue, and many others, could be resolved if developers would take a bit of time and explain the module's limitations. If your are going to develop and make a module available to the public, then you have responsiblity to explain to us how and under what circustances it will function properly within what you describe as the PostNuke framwork.

This issue has been dragging on and on and on. It's time for a resolution.

I do have seen it working on a bunch of sites (with other / different blocks in the same block position than you have probably), and therefore I said it "should" work. However, all sites are different, that is why I am asking you to show me where your site is located. So I can see if there is a block that also generates an authid right before the poll block does, because that is something I haven't seen before.

My intention is to help solve your problem. Nothing more, nothing less, and definately not throwing my weight around. Discussing my position on this community (which is indeed no more or less than anyone else) does not solve the problem, right?

I overreacted a bit, my apologies if an offense was taken. If I think someone is pointing a finger to peope working their but off just to make good software, I do get offensive. Hope this discussion is ended and we can be more construcive on solving this problem and improving the software.

--
-- Teb
-- Dutch PostNuke Community

Support questions in a Personal Message will be ignored. Use the forums at all times!

You're right and believe me I appreciate every bit of work someone does in support of this wonderful tool.

The 'User Login' block is on the left side. After a user logs in, the left side contains the 'Main Menu' block, then, under that, the 'Private Messages' block, and then, under that, a 'Menu' block for individual users if they so choose. Finally, under all those blocks is the 'Poll' block.



edited by: flic, Feb 16, 2007 - 10:44 PM

With the blocks you describe I don't see any other blocks that generate an authid. But maybe that is different when someone is logged in. This is something you could look for when logged in: View the source of the pages where authorisation fails, and see if there are other forms using an authid as a hidden input. The first would succees, the rest would probably fail for submission.

If this is not the case, and you did not use any back-buttons when browsing, then I am a bit stuck here indeed...

--
-- Teb
-- Dutch PostNuke Community

Support questions in a Personal Message will be ignored. Use the forums at all times!

No, I just described to you what is on the left side after someone logs in. Did you miss that?

If it makes a difference, and I don't know why it should, on the right side is a PostCalendar block and a News Feed block. Other than that, the site contains the normal Search, and Submit News features. It also has EZComments and Mediashare.

It sounds as if you are saying that if someone doesn't vote straight away after they login, then they won't be able to vote at all. I guess that would be fine in a storybook setting, but, you know, people will be people.

I just can't imagine trying to choreograph every user's every move, explaining beforehand the exact order in which they must proceed to be able to use all the features of the content management system.

Is there any one else out there who might be able to lend a hand and help us get past this issue??