id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 3807 "Admin Functions Denying Access with ""You don't have permission to do that""" seanwedig "This sounds like it may be related to defect #3798, but my investigations have pointed me at other potential problems (and potential fix), so I'm submitting it separately. I just recently did a completely new installation of Wordpress 2.1. I installed it on a local machine just fine, and ran it with a local database with no worries (I was doing theme development on a local box). On this local machine, I could log in as Admin and perform all administrative tasks I wanted with no problems, including clearing out the default blogroll items, creating new users, and whatnot. I then went ahead and uploaded the exact same 2.1 package and installed it on a server in order to deploy the theme, but found that many of the admin functions were not working. Not all of them, but most. Those that denied access all failed with the error message ""You don't have permission to do that."" which I tracked down to the AJAX JS code. I did some digging to see where in the code things were dying and causing the AJAX permission check to fail on the server (returning '-1'), and I came across code in wp-includes/pluggable.php's check_ajax_referer function. Specifically, the call to wp_login was returning false and dying with '-1', which was then denying access to execute whatever Admin function I was trying. After debugging a little, it struck me as odd that, in order to extract the $user and $pass variables, the submitted cookie values were being manually parsed out from $_POST['cookie']. This was in check_ajax_referer. When I replaced manual parsing with pulling USER_COOKIE and PASS_COOKIE from the $_COOKIE variable, it appears to have fixed my problem. (I apologize for not submitting a diff for WP's purposes - I'm not exactly sure how it should be generated, but I am glad to learn!) I think it came down to the parsing based on string position of an equal sign. The hashed cookie keys may have sometimes included that equal sign, and so messed up the manual parsing; I'm not 100% sure on that - it is just speculation. I'm willing to accept that I've got it all wrong, as I do not know the WP code. :) To be precise, I replaced lines 244 through 250 of wp-includes/pluggable.php {{{ $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie foreach ( $cookie as $tasty ) { if ( false !== strpos($tasty, USER_COOKIE) ) $user = substr(strstr($tasty, '='), 1); if ( false !== strpos($tasty, PASS_COOKIE) ) $pass = substr(strstr($tasty, '='), 1); } }}} with {{{ $user = $_COOKIE[USER_COOKIE]; $pass = $_COOKIE[PASS_COOKIE]; }}} and it appears to have fixed the problem. -Sean " defect (bug) closed normal Administration 2.1 major wontfix permissions has-patch 2nd-opinion