Fixed Member::actionBan can cause a server error when a non-moderator touches it

Xon

Well-known member
Affected version
2.2.13
If a non-moderator (or guest) attempts to access members/ban, it instead causes a server error.


PHP:
    public function canBan(&$error = null)
    {
        $visitor = \XF::visitor();

        if (!$this->user_id || !$visitor->is_moderator || $this->user_id == $visitor->user_id)
        {
            return false;
        }
...
    public function userBanAddEdit(User $user)
    {
        if (!$user->canBan($error))
        {
            return $this->error($error);
        }

$error will be null, which causes the error() function to throw the error:

Code:
InvalidArgumentException: The error value must be a string or an object which can be cast to a string src/XF/Mvc/Reply/Error.php:79
Stack trace
#0 src/XF/Mvc/Reply/Error.php(45): XF\Mvc\Reply\Error->validateErrorValue(NULL)
#1 src/XF/Mvc/Reply/Error.php(20): XF\Mvc\Reply\Error->setErrors(Array, false)
#2 src/XF/Mvc/Controller.php(444): XF\Mvc\Reply\Error->__construct(NULL, 200)
#3 src/XF/Pub/Controller/Member.php(1025): XF\Mvc\Controller->error(NULL)

userBanSaveProcess/actionBanSave/actionBanLift are similar.

This should be noPermission() not error() and there are a number of places which error() without checking $error is non-null. Likely the error() function should handle null.
 
I have gotten this error several times now, too.

Updates Status GIF by Originals
 
The question is, how to call that function as a guest?
Open a private browser window to your forum so you are not logged in. On your forum, if your username is aerosimit and you are user id 1, go to this page:

/forum/members/aerosimit.1/ban

1) the forum page will say error has occurred.
2) your admin control panel will now have a correlated error log
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.14).

Change log:
Use a no-permission response when a user cannot be banned, and gracefully handle error responses without a proper error message
There may be a delay before changes are rolled out to the XenForo Community.
 
Open a private browser window to your forum so you are not logged in. On your forum, if your username is aerosimit and you are user id 1, go to this page:

/forum/members/aerosimit.1/ban

1) the forum page will say error has occurred.
2) your admin control panel will now have a correlated error log
I'm still on 2.2.13 and just tried that, but alas didn't get the error, ie it works properly. Anyway, it's been fixed for the next version.
 
Back
Top Bottom