FAPI security check (form.inc, line 697) fails for permission names containing single quotes, causing an 'Illegal choice' error. Replacing the single qoutes with asterisks fixes the this behavior for me.
Setup
os: ubuntu 8.04 server
httpd: lighty 1.4.19
php: php-cgi 5.2.4-2ubuntu5.6

Comments

spyfalcon’s picture

spyfalcon commented

It seems PHP causes this by escaping form element names <input name="1[access 'all' tab]" value="acess 'all' tab"/>
becomes 'access \'all\' tab' => "access 'all' tab" (same result as passing the input name to addslashes())

rdeboer’s picture

rdeboer
Location Melbourne
commented

Thanks spyfalcon!
You're the first to report this... does that mean that most Drupal installations run a different version of PHP, or at least one that is configured differently?

I guess I'm going to have to change the quotes to asterisks causing those that use the module to redo their permissions.... Shame that asterisks don't read as nicely as quotes....

Rik

spyfalcon’s picture

spyfalcon commented

Hello Rik

does that mean that most Drupal installations run a different version of PHP, or at least one that is configured differently?
Well, yes, which PHP version/configuration you use to run your scripts is up to you (as long as you have the necessary permissions).

Shame that asterisks don't read as nicely as quotes
Hey at least it works :)

ntcrportec’s picture

ntcrportec commented

Hi,
Just to say I've encoutered the same problem.
I've replace quotes by asterix, and now it work very well.
Thanks

rdeboer’s picture

rdeboer
Location Melbourne
commented

Thanks ntcportec,
Can you please share with us the details of your system (OS, PHP versions).
I certainly haven't encountered this myself on Windows or Mac. I'm wondering whether it's a Linux/Linux-clone thing and whether it is subject to configuration.
Rik

yarma’s picture

yarma commented

it's not a bug in the module, but as "misconfiguration" of the web hosting server!
as the quotes can be very dangerous if used with custom sql queries, the "magic_quotes" function was coded into php.
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

this function is DEPRECATED as of PHP 5.3.0, but is still in use on many "bad" web hosting services ...
in the drupal .htaccess file you can find some lines intending to disable this feature "php_value magic_quotes_gpc 0", but depending on the server configuration this lines are sometime simply ignored and the magic_quotes_gpc remain activ

the better solution is to host your drupal installation on a server with a recently enougth php, or to test some modifications in the .htaccess file:

php_value magic_quotes_gpc 0
php_value magic_quotes 0
SetEnv MAGIC_QUOTES_GPC 0
SetEnv MAGIC_QUOTES 0
ini_set('magic_quotes_gpc', '0')
ini_set('magic_quotes_gpc', 'off')

for myself on the french web hosting service OVH, I have to use "SetEnv MAGIC_QUOTES 0". With magic_quotes on, i give an error message, with magic_quotes off, everything is working well ;)

rdeboer’s picture

rdeboer
Location Melbourne
commented
Status: Active » Closed (won't fix)

Thanks so much for your thorough analysis, yarma!
Based on this I may leave the code as is and encourage people to upgrade their PHP or make sure that their web server is properly configured as per your instructions.
If I change the code more people may be inconvenienced than when I leave it the way it is.
Rik

brisath’s picture

brisath commented

@Yarma

Thanks for the lead on that work around. In my case, the shared host was using PHP v5.2.9 and by changing the line in the php.ini file from magic_quotes_gpc = On to magic_quotes_gpc = Off that seems to have fixed the permission error problem. The .htaccess file already had php_value magic_quotes_gpc 0 and this obviously wasn't working, but the php.ini change solved it.

rdeboer’s picture

rdeboer
Location Melbourne
commented
Status: Closed (won't fix) » Closed (fixed)

Quotes were removed long time ago.