Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

canEdit() for metadata and annotations should return true if owner_guid = logged in user (Trac #721) #721

Closed
elgg-gitbot opened this issue Feb 16, 2013 · 9 comments
Closed

canEdit() for metadata and annotations should return true if owner_guid = logged in user (Trac #721) #721

elgg-gitbot opened this issue Feb 16, 2013 · 9 comments
Labels
engine
Milestone
Elgg 1.9.0 Releas...

Comments

@elgg-gitbot
Copy link

Original ticket http://trac.elgg.org/ticket/721 on 39081807-04-11 by trac user twall, assigned to unknown.

Elgg version: 1.5

The default behavior (in the absence of a permissions_check:metadata hook) is to disallow deleting metadata by a normal user, even if that user created the metadata.

Either creation of metadata should be disallowed, if the user really doesn't have object modification privileges, or deletion of metadata should be allowed.

add: create_metadata($guid, 'name', $user_guid, 'int', $user_guid, 1, true)
delete: $data = get_metadata_byname($guid, 'name'); $data->delete();

The add always succeeds, the delete always fails.
@elgg-gitbot
Copy link
Author

trac user twall wrote on 39081811-02-09

create_metadata should probably have the same permissions checking as delete_metadata, including calling out to the plugin hook.

@elgg-gitbot
Copy link
Author

brettp wrote on 40084985-09-19

The current check in can_edit_entity_metadata() can be modified to check if the metadata is owned by the currently logged in user and delete then. As it stands, unowned metadata can be deleted by anyone.

Current workaround is to use elgg_set_ignore_access(TRUE);

@elgg-gitbot
Copy link
Author

Milestone changed to Elgg 1.8 by brettp on 40084985-09-19

@elgg-gitbot
Copy link
Author

Title changed from Normal user can add but not remove metadata to canEdit() for metadata and annotations should return true if owner_guid = logged in user by brettp on 40087429-09-29

@elgg-gitbot
Copy link
Author

trac user crantisz wrote on 40547373-02-23

i dont found any data about permissions check of annotations. Replacing $vars['annotation']->canEdit() with $vars['annotation']->owner_guid==get_loggedin_userid() works good, but it is bad, becouse annotations haven't protection.

@elgg-gitbot
Copy link
Author

Milestone changed to Elgg 1.8.1 by cash on 40996950-09-11

@elgg-gitbot
Copy link
Author

Milestone changed to Elgg 1.9.0 by cash on 42105245-03-08

@elgg-gitbot elgg-gitbot mentioned this issue Feb 16, 2013
Closed
@cash
Copy link
Contributor

cash commented Jul 4, 2013

For metadata:

In ElggMetadata class

    public function canEdit($user_guid = 0) {
        if ($entity = get_entity($this->get('entity_guid'))) {
            return $entity->canEditMetadata($this, $user_guid);
        }
        return false;
    }

and in ElggEntity class

    public function canEditMetadata($metadata = null, $user_guid = 0) {
        if (!$this->guid) {
            return false;
        }

        $return = null;

        if ($metadata && ($metadata->owner_guid == 0)) {
            $return = true;
        }

        if (is_null($return)) {
            $return = $this->canEdit($user_guid);
        }

        if ($user_guid) {
            $user = get_entity($user_guid);
        } else {
            $user = elgg_get_logged_in_user_entity();
        }

        $params = array('entity' => $this, 'user' => $user, 'metadata' => $metadata);
        return elgg_trigger_plugin_hook('permissions_check:metadata', $this->type, $params, $return);
    }

@cash
Copy link
Contributor

cash commented Jul 4, 2013

Setting metadata does not use the access system or any calls to canEdit(). Deleting metadata does through _elgg_delete_metastring_based_object_by_id().

The set methods ignore access when changing metadata because of this section of code in ElggEntity::setMetadata():

        // need to remove access restrictions right now to delete
        // because this is the expected behavior
        $ia = elgg_set_ignore_access(true);
        if (false === elgg_delete_metadata($options)) {
            return false;
        }
        elgg_set_ignore_access($ia);

cash added a commit to cash/Elgg that referenced this issue Jul 4, 2013
@cash
Refs Elgg#721 moved can_edit_extender() code into ElggAnnotation and …
930e114 
…improved its logic
@cash cash closed this as completed in 1a7f029 Jul 4, 2013
cash added a commit that referenced this issue Jul 4, 2013
@cash
Merge pull request #5754 from cash/can_edit_metadata
0ba8fc4 
Fixes #721 users can edit metadata that they created by default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
engine
Milestone
Elgg 1.9.0 Release Candidate
Development

No branches or pull requests
2 participants
@cash @elgg-gitbot