#3522 closed Defect (fixed)
Adding friends to a collection fails (Elgg 1.7.9)
| Reported by: | iionly | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | Elgg 1.7.10 |
| Component: | Core | Version: | 1.7 |
| Severity: | minor | Keywords: | friends, friends collection |
| Cc: | brett@… | Difficulty: |
Description
It seems adding friends to a collections (both existing collection and new collection) fails with Elgg 1.7.9. It's possible to select friends in "Edit collection" but the changes are not saved.
Change History (7)
comment:1 Changed 2 years ago by cash
- Milestone changed from Needs Review to Elgg 1.7.10
- Priority changed from normal to high
comment:2 Changed 2 years ago by rivervanrain
Problem has been resolved when I deleted $user_guid from $collections = get_write_access_array($user_guid);
comment:3 Changed 2 years ago by brettp
The solution in [svn:9128] doesn't work right in most cases.
The overarching problem is that permissions are being checked in the add_user_to_access_collection() function for the currently logged in user to have write access to the acl that you're trying to add a user to.
Options:
- Move checking for permissions to actions and allow add_user_to_access_collection() to always work like other parts of the ACL systems.
- Use elgg_set_ignore_permissions() when populating ad-hoc ACLs and wire these functions to respect that.
- Add a 2nd $user param to pass to ACL functions that check access for that users instead of the logged in user.
Other thoughts?
comment:4 Changed 2 years ago by cash
As a developer I like that elgg_get_entities() handles the access stuff for me. I don't want to have to track who has access to what. I'm not a fan of Elgg thinking it is smarter than me with respect to access collections. If I'm writing a plugin and I think Joe should be added to Ed's access collection, why should Elgg prevent me just because Ed is not logged in right now? I vote for removing access checks on access collections.
The access checks have caused problems a few times (1.6 with groups I believe and now), and I don't think they help me from doing something bad.
comment:5 Changed 2 years ago by brettp
I also prefer removing the checks from the functions, at the very least because it's very inconsistently implemented. Unless there are objections this will be the way I proceed.
comment:6 Changed 2 years ago by brettp
- Resolution set to fixed
- Status changed from new to closed
(In [svn:9203]) Fixes #3522, refs #3323, #3552. Added more unit tests for ACLs and group ACLs. Added can_edit_access_collection() and moved permission checks for ACL changes to actions.
comment:8 Changed 19 months ago by cash
This was merged into 1.8 in [9a53ddf57cdbf557b0d4f21d0fdf01b4b92569c4]
Confirmed. Likely this commit [svn:9128]