HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Can not modify Member's point

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#110702 (In Topic #22233)
Avatar

Fan in action

hallo dear,

i can not change Member's points :




anyone can help me please!!

thank you.
Back to the top
 
Posted
Rating:
#110704
Avatar

This looks like a bug in one of our non-bundled addons. I'll get back to you on it soon.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110706
Avatar

Fan in action

thank you so much Chris...:rockon::rockon::rockon::rockon::rockon:
Back to the top
 
Posted
Rating:
#110721
Avatar

Hi,

I've taken a look, and actually I can't see a problem currently.

I think the 3rd screenshot was likely because generating the stack trace removed the 'amount' parameter somehow, i.e. not the true error.

Could you tell us what the security error was (all the details of it)? You were probably emailed it, but can also see it in the security log in the Admin Zone.

One strong possibility is "A POST request by an authenticated member was made from an external website". This seems likely, as in this event the POST data would be erased when the error triggered, hence why it was missing when you generated the stack trace. We also changed this code very recently, due to a security problem, it's now more stringent.

I wonder if the error is actually legitimate. If you typed in the address to the member profile with a different domain name (maybe you have more than one, or IPs?) it would then be the wrong referring domain when submitting the form. If you typed in with https but it submits with http, the referrer would not be passed, which would also be an unexpected condition.

Knowing the full security message will help, as it will contain the referrer string.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110732
Avatar

Fan in action

exactly Chris, 
i found "A POST request by an authenticated member was made from an external website" in the security log in the Admin Zone.
 

Here is the stack trace:


FYI, i have 8 websites ocportal that was installed in 1 domain but they use different subdomain. i linked them each others with Multi site network systems OCportal. 

in fact, after you replied my question then i tried to modify member's point in others websites. the results is, i can modify member's point in 7 websites but i can not modify it in this website eventhought this is website with main database.

thank you...
Back to the top
 
Posted
Rating:
#110738
Avatar

The full message from Admin Zone should be longer….

A POST request by an authenticated member was made from an external website (xxx); this has been blocked as it represents a security threat (it is likely a malicious site tricked a member to fill in a form which directs privileged actions towards this site).

It's the xxx bit that I'd be most interested to see.

It might be blank actually.

Stack trace is just a misdirection.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110739
Avatar

Fan in action

this is full message from security log in admin zone:

A POST request by an authenticated member was made from an external website (); this has been blocked as it represents a security threat (it is likely a malicious site tricked a member to fill in a form which directs privileged actions towards this site).

yeah, actually (xxx) is blank.
so what must be done ?
Back to the top
 
Posted
Rating:
#110740
Avatar

I need to have a think, and also run some tests. Are you able to give me the site URL? Could be in a whisper if privacy is an issue.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110744
Avatar

1 quick note, I can see a bug in the group_points addon.

Could you delete the themes/default/templates_custom/POINTS_PROFILE.tpl file.

This was written for another addon and we accidentally miscategorised it into group_points.


Last edit: by Chris Graham


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110745
Avatar

Ok, I've found the issue. It was one of the things I guessed earlier, but testing on your live site demonstrated it to me.

You have the 'members' module set with HTTPS, but not the points module. When the points form submits (from the members module), no referrer is sent, so the points module thinks the submission was invalid. But actually it just came from a different protocol.

The solution is to ensure that the points module is also set to HTTPS/SSL.

I'll look into documentation/workaround for this somehow.


Last edit: by Chris Graham


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110747
Avatar

I'll look into documentation/workaround for this somehow.

Ok, official approach is as follows…

For v9:
We have added site:points to the Security tutorial, the listed pages we recommend to enable SSL on. This will avoid the conflict.

For v10:
If the SSL addon is installed we will no longer complain about blank referers. This is safe for us in v10 because we have added token-based CSRF detection also.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110748
Avatar

Fan in action

thank you so much Chris.. :)  :)  :)

Now, everything about updating member's point  was FIXED… :thumbs:  :thumbs:  :thumbs:  :thumbs:
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: