New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
canEdit() for metadata and annotations should return true if owner_guid = logged in user (Trac #721) #721
Comments
trac user twall wrote on 39081811-02-09 create_metadata should probably have the same permissions checking as delete_metadata, including calling out to the plugin hook. |
brettp wrote on 40084985-09-19 The current check in can_edit_entity_metadata() can be modified to check if the metadata is owned by the currently logged in user and delete then. As it stands, unowned metadata can be deleted by anyone. Current workaround is to use elgg_set_ignore_access(TRUE); |
Milestone changed to |
Title changed from |
trac user crantisz wrote on 40547373-02-23 i dont found any data about permissions check of annotations. Replacing $vars['annotation']->canEdit() with $vars['annotation']->owner_guid==get_loggedin_userid() works good, but it is bad, becouse annotations haven't protection. |
Milestone changed to |
Milestone changed to |
For metadata: In ElggMetadata class
and in ElggEntity class
|
Setting metadata does not use the access system or any calls to canEdit(). Deleting metadata does through _elgg_delete_metastring_based_object_by_id(). The set methods ignore access when changing metadata because of this section of code in ElggEntity::setMetadata():
|
Fixes #721 users can edit metadata that they created by default
Original ticket http://trac.elgg.org/ticket/721 on 39081807-04-11 by trac user twall, assigned to unknown.
Elgg version: 1.5
The default behavior (in the absence of a permissions_check:metadata hook) is to disallow deleting metadata by a normal user, even if that user created the metadata.
Either creation of metadata should be disallowed, if the user really doesn't have object modification privileges, or deletion of metadata should be allowed.
add: create_metadata($guid, 'name', $user_guid, 'int', $user_guid, 1, true)
delete: $data = get_metadata_byname($guid, 'name'); $data->delete();
The add always succeeds, the delete always fails.
The text was updated successfully, but these errors were encountered: