Hi, I'm currently trying to figure out how to fix a plugin that we already have installed and which stopped working due to the security fix implemented in version 3.7.

I've learned a lot about the process of vBulletin Products and how they are created. And even managed to find exactly the part I wanted, I just don't know how to implement the fix for the CSRF as it's part of the vBulletin admincp options.

The Product in question is the Split Useronline :
https://vborg.vbsupport.ru/showthread.php?t=135771

The basic problem is that the saving of the settings no longer work. I presume this is due to the CSRF change. Though from what I've read about it the solution to the problems caused by it is to add the security token on an input element though I've looked at the source for the page and it's already there due to the options being added onto an existing options form. Forums Home Page Options to be precise. So I would have expected it to work.

Or is there something else that needs to be added to the extra form elements to make them work?

I know of how to alter the sections on the page now, though I've gotta say there is no info available on how to get there, documents mention about how to get into debug mode but didn't explain that extra options would appear in it lol. I'll be happy to provide whatever info is required.

Does vBulletin throw an error complaining about the security token?

No which actually surprised me, so does that mean it's not CSRF causing it?

I had my suspicions but it only stopped working after the 3.7 upgrade and that's the only issue concerning plugins/products I've heard mentioned. Especially as it effects a form lol. And it's not an isolated incident as others who replied to the Product thread are all experiencing the same issue since the upgrade.

So are there are any other issues that have occurred since the upgrade? Possibly more stringent error checks or something? Would it help posting the xml from the Product file used for the admin options section?

If you have questions/problems with a modification or style, then please post in the thread (or support forum/board) about that modification/style. Best chance to receive a reply from either the author or another member using the same modification/style.

It seems the author no longer supports the plugin and everyone else seems just as clueless as to what is causing the issue. So I was attempting to take things into my own hands with a little guidance lol.

No which actually surprised me, so does that mean it's not CSRF causing it?

Yes, thats exactly what it means. If it was the new CSRF then you would get the token error page.

So are there any other known issues affecting forms (specifically forms in the admin options) that have occurred since the upgrade to 3.7?

As I assume any such issues would be posted in the coders forum which I wouldn't gain access to until after I have released some plugins. I was planning this to be the first lol (Though I'm not even sure if porting a mod between versions even counts but at the very least it would have been a good base to start from).

EDIT: If it helps the elements the form seems to be ignoring/not remembering are groups of tick boxes. Basically the plugin adds three sets of tickboxes per usergroup into the admincp home page options. it DOES seem to remember the radio button just before it ok which is also part of the plugin (only just noticed this after it was confirmed it wouldn't be CSRF). So it is only affecting the tickboxes.

The only requirement added to forms is the CSRF token, of which you would have received an error from vBulletin if it was missing.

It might help if you (again) only posted what problems you have (in detail), instead of asking for a solution that will not solve your problem. ;)

(I wasn't aware it wasn't CSRF until Pauls post)

Well the issue is that on the Forum Home Page Options page (in the admincp vB options section) some of the form added by the above mentioned plugin doesn't have their values saved. The ones that don't work are 3 sets of checkboxes (a checkbox per usergroup in each setting).

Ive tried looking into it further now that I know it definitely isn't the CSRF fix causing it. I believe I've got it down to two sections of code that could be causing it, either the custom option code that was used for the checkboxes or the plugin that was attached to the admin_options_processing hook. I believe it's likely to be the former of the two possibilities.

I've included the code for both below:
" . eval('foreach($vbulletin->usergroupcache AS $usergroupid => $usergroup)
{
$teamusergroups .= "\\t\\t<label for=\\"setting[$setting[varname]]$usergroupid\\" title=\\"usergroupid: $usergroupid\\"><input type=\\"checkbox\\" tabindex=\\"1\\" name=\\"setting[$setting[varname]]"."[]\\" id=\\"setting[$setting[varname]]$usergroupid\\" value=\\"$usergroupid\\"" . iif(strpos(",$setting[value],", ",$usergroupid,") !== false, \' checked="checked"\') . iif($vbulletin->debug, " title=\\"name=&quot;setting[$setting[varname]]&quot;\\"") . " />$usergroup[title]</label><br />\\n";
}
return "<span class=\\"smallfont\\">\\n$teamusergroups\\t</span>";') . "<input type=\"hidden\" name=\"setting[$setting[varname]][]\" value=\"0\" />

The above code is the Option code for the first of the three checkbox options in the admincp (gotten through debug mode). When I attempted to print out the $setting[value] array (the array used in the decision to display checked="checked" or not) it appeared to be empty for me. i.e. just displaying Array rather than any values.

The code attached to the admin_options_processing hook is as below:

if (is_array($vbulletin->GPC['setting']['split_useronline_teamusers']))
{
$vbulletin->GPC['setting']['split_useronline_teamusers'] = implode(',', $vbulletin->GPC['setting']['split_useronline_teamusers']);
}
if (is_array($vbulletin->GPC['setting']['split_useronline_premiumusers']))
{
$vbulletin->GPC['setting']['split_useronline_premiumusers'] = implode(',', $vbulletin->GPC['setting']['split_useronline_premiumusers']);
}
if (is_array($vbulletin->GPC['setting']['split_useronline_vipusers']))
{
$vbulletin->GPC['setting']['split_useronline_vipusers'] = implode(',', $vbulletin->GPC['setting']['split_useronline_vipusers']);
}

--------------- Added 1212105399 at 1212105399 ---------------

Done some further testing whilst waiting for some feedback anyway.

Did some print outs inside the above mentioned plugin (the one attached to the admin_options_processing hook) and the settings appear to make it that far just fine. i.e. the array is populated ok when boxes are ticked and after the implode lines it creates a string like "3,4,6". When does that hook get called though? only when saving the settings? And before or after the saving?

I'm asking this because I took a look into the database to see where the settings where saved and found the options in the datastore table. The relevant serialized section (ignoring the cyb part) being just below:

s:23:"split_useronline_active";s:1:"1";s:26:"split_useronline_teamusers";s:5:"Array";
s:29:"split_useronline_premiumusers";s:5:"Array";s:25:"split_useronline_vipusers";
s:5:"Array";

As you can see it seems that even in the database it seems to be storing the value Array instead of the elements in that array. So I'm trying to find why that is occurring?

You cannot simple "store" an array. You need to serialise it first.

In that case does anyone know when the admin_options_processing hook get called? Because looking at the plugin code above on that hook it looks like it gets rid of the array for a simple string. Also if it calls this hook before saving the data then should I just serialise them inside that plugin?