Fixed Member::actionBan can cause a server error when a non-moderator touches it

[Xon]

Affected version

2.2.13

If a non-moderator (or guest) attempts to access members/ban, it instead causes a server error.

    public function canBan(&$error = null)
    {
        $visitor = \XF::visitor();

        if (!$this->user_id || !$visitor->is_moderator || $this->user_id == $visitor->user_id)
        {
            return false;
        }
...
    public function userBanAddEdit(User $user)
    {
        if (!$user->canBan($error))
        {
            return $this->error($error);
        }

$error will be null, which causes the error() function to throw the error:

InvalidArgumentException: The error value must be a string or an object which can be cast to a string src/XF/Mvc/Reply/Error.php:79
Stack trace
#0 src/XF/Mvc/Reply/Error.php(45): XF\Mvc\Reply\Error->validateErrorValue(NULL)
#1 src/XF/Mvc/Reply/Error.php(20): XF\Mvc\Reply\Error->setErrors(Array, false)
#2 src/XF/Mvc/Controller.php(444): XF\Mvc\Reply\Error->__construct(NULL, 200)
#3 src/XF/Pub/Controller/Member.php(1025): XF\Mvc\Controller->error(NULL)

userBanSaveProcess/actionBanSave/actionBanLift are similar.

This should be noPermission() not error() and there are a number of places which error() without checking $error is non-null. Likely the error() function should handle null.

 

[Aerosimit]

The question is, how to call that function as a guest?

 

[Xon]

The question is, how to call that function as a guest?

It is a url; it gets entered into a browser.

 

[rdn]

I have gotten this error several times now, too.

 

[⭐ Alex ⭐]

The question is, how to call that function as a guest?

Open a private browser window to your forum so you are not logged in. On your forum, if your username is aerosimit and you are user id 1, go to this page:

/forum/members/aerosimit.1/ban

1) the forum page will say error has occurred.
2) your admin control panel will now have a correlated error log

 

[NDavid]

Is there a temporary fix while we wait for the patch?

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.14).

Change log:

Use a no-permission response when a user cannot be banned, and gracefully handle error responses without a proper error message

There may be a delay before changes are rolled out to the XenForo Community.

 

[FTL]

Open a private browser window to your forum so you are not logged in. On your forum, if your username is aerosimit and you are user id 1, go to this page:

/forum/members/aerosimit.1/ban

1) the forum page will say error has occurred.
2) your admin control panel will now have a correlated error log

I'm still on 2.2.13 and just tried that, but alas didn't get the error, ie it works properly. Anyway, it's been fixed for the next version.