can_write_to_container() with a group ignores owner_guid (Trac #3722) #3722
Comments
|
cash wrote on 41758108-06-28 Looks like this has major issues. |
|
Milestone changed to |
|
cash wrote on 41760435-05-12 Looks like [72a8ae0] also dealt with this. I'm going to take a look at the original problem and the current solution. Then I'll post some thoughts here. |
|
cash wrote on 41760490-01-20 can_write_to_container() is called from
For the plugin usage, a user may or may not be logged in, but in the cases of a logged out user, it is expected that false is returned. For create_entity(), we allow logged out users to create entities so that they can register. Further, there may be additional cases for this from 3rd party plugins. In addition to fixing the bug described in this ticket, the commit also fixed a bug where the user object passed to the plugin hook was ignored by elgg_override_permissions_hook(). This probably should have been its own ticket. This secondary fix introduced the bug that was fixed in [72a8ae0]. The primary fix introduced a bug of the same variety as that one into can_write_to_container(). The fix looks simple - just add a check that the $user variable is non-null in the check for the $container variable being non-null. I recommend that we add something into our best practices about checking object variables before calling a method on the object. |
|
cash wrote on 41777013-07-31 I don't believe these changes have been merged into master/1.8 |
|
cash wrote on 41801637-08-18 Reopening due to change in how access works. See #3979 for details. |
|
Milestone changed to |
Original ticket http://trac.elgg.org/ticket/3722 on 41612506-02-01 by brettp, assigned to unknown.
Elgg version: 1.7
canEdit() is checked, but then if it's a group it checks membership. It shouldn't check membership if canEdit() is true.
The text was updated successfully, but these errors were encountered: