Clear Notifications

[Tom Irons]

I'll come up with a fix for it.

[W.W.W]

Can you add so you need to reply to thread to view links?

[Joel R]

Hi @Tom Irons I wanted to let you know there's a potential bug in your plugin "Clear Notifications" that triggered a whole mess of system errors on my community  

 \IPS\Member::loggedIn() returns a guest object

Another third-party developer kindly suggested you use the following code to stop the error:

public function clearNotifications()
   {
            /* Clear the users notifications */
            if( \IPS\Member::loggedIn()->member_id ){
                \IPS\Db::i()->delete( 'core_notifications', 'member=' . \IPS\Member::loggedIn()->member_id );
            }
           \IPS\Output::i()->redirect( \IPS\Http\Url::internal( NULL ), 'ClearNotifications_complete' );

   }

Hope this helps

[Joel R]

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
DELETE FROM `core_notifications` WHERE member=
 | File                                                                       | Function                                                                      | Line No.          |
 |----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------|
 | /system/Db/Db.php                                                          | [IPS\Db\_Exception].__construct                                               | 393               |
 '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'
 | /system/Db/Db.php                                                          | [IPS\_Db].preparedQuery                                                       | 946               |
 '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'
 | /init.php(443) : eval()'d code                                             | [IPS\_Db].delete                                                              | 10                |
 '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'
 |                                                                            | [IPS\core\modules\front\system\hook1313].clearNotifications                   |                   |
 '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'
 | /system/Dispatcher/Controller.php                                          | [].call_user_func                                                             | 85                |
 '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'
 | /system/Dispatcher/Dispatcher.php                                          | [IPS\Dispatcher\_Controller].execute                                          | 129               |
 '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'
 | /index.php                                                                 | [IPS\_Dispatcher].run                                                         | 15                |
 '----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'

 

#0 /home/nginx/domains/mywebsite.com/public/init.php(507): IPS\_Log::log('DELETE FROM `co...', 'uncaught_except...')
#1 [internal function]: IPS\IPS::exceptionHandler(Object(IPS\Db\Exception))
#2 {main}

 

[IPBSkins]

It is not so much a bug as CSRF vulnerability. No checking CSRF key. Thus malitious user may in some way to follow the link and delete all user notifications.
We created a similar plugin without reloading the page on Ajax http://ipbskins.ru/forum/files/file/341-siv41-delete-all-notifications/
Uplaod to the marketplace, but for some unknown reason the file is not approved..
 

[Tom Irons]

I don't think there is anyway someone can maliciously delete someone's notifications. It checks to see if the user is logged in and if they are it will only remove their notifications.

I would assume it wasn't approved cause mine is already on the marketplace. Why would they want more than one plugin to do the same thing?

[IPBSkins]

On 13 января 2017 г. at 6:50 AM, Tom Irons said:

I don't think there is anyway someone can maliciously delete someone's notifications. It checks to see if the user is logged in and if they are it will only remove their notifications.

What will happen if you go directly to the link? Will be removed the notification of the current user. That is, one way or another, can call the address  and run the function of the current user without verifying that the request came from him. For example posting the directly link, shortened link or dynamic image. You don't check CSRF key and it is in this case is a potential vulnerability (see cross site request forgery attack). Suppose that in this case a small, but if it came to the removal of personal correspondence? This is serious.

[Tom Irons]

I added CSRF protection into the plugin and updated it. If there's anything else you'd like to see added into the plugin let me know.

[sweethoney]

dont work for me

[Tom Irons]

Just now, sweethoney said:

dont work for me

I need more information than just that... are you receiving an error?

[sweethoney]

ill let you no latter im running some test

i got it 2 work it was confecting with a plugin i had

[Subseven]

I installed it and it worked fine in the latest IPB. Than a couple days later it don't work. Any ideas?

[Subseven]

Uninstalling until we get an update. Worked at first.

[Simon Woods]

Hi, I was wondering if this will need an update for 4.2, and if so will it be provided?

[Tom Irons]

On 8/4/2017 at 0:58 PM, Simon Woods said:

Hi, I was wondering if this will need an update for 4.2, and if so will it be provided?

This plugin still works and doesn't need an update for 4.2.x.

[Simon Woods]

Thanks!

[WJWM]

We've noticed a problem with 1.01 on our forum (v. 4.2.2) when using computer or iPad. When clicking Clear notifications in the 'View all notifications' list an alert appears as below, whereas when clicking Clear notifications on the Notifications popup the feature works as it should.

[Tom Irons]

I'll take a look at that when I can, are there any errors in the logs related to the plugin?

Thanks!

[Simon Woods]

I get the same problem, with no errors logged. It's at this URL:

https://SITE-URL/index.php?app=core&module=system&controller=plugins&do=clearNotifications

 

[Tom Irons]

Disable the plugin for now, and I'll try to take a look this weekend.

[Tom Irons]

It's because the CSRF token isn't being added into the url. Do you have friendly urls enabled or disabled?

[Simon Woods]

8 hours ago, Tom Irons said:

It's because the CSRF token isn't being added into the url. Do you have friendly urls enabled or disabled?

Enabled.

[Tom Irons]

@Simon Woods if you hover over the clear link, does it have a csrf parameter?

[Simon Woods]

33 minutes ago, Tom Irons said:

@Simon Woods if you hover over the clear link, does it have a csrf parameter?

Nope, not on the notifications page. However, it does in the menu.

[Tom Irons]

That would explain it, sorry about that. I'll have an update for the plugin soon.