Member::actionBan can cause a server error when a non-moderator touches it

[Xon]

Affected version

2.2.13

If a non-moderator (or guest) attempts to access members/ban, it instead causes a server error.

    public function canBan(&$error = null)
    {
        $visitor = \XF::visitor();

        if (!$this->user_id || !$visitor->is_moderator || $this->user_id == $visitor->user_id)
        {
            return false;
        }
...
    public function userBanAddEdit(User $user)
    {
        if (!$user->canBan($error))
        {
            return $this->error($error);
        }

$error will be null, which causes the error() function to throw the error:

InvalidArgumentException: The error value must be a string or an object which can be cast to a string src/XF/Mvc/Reply/Error.php:79
Stack trace
#0 src/XF/Mvc/Reply/Error.php(45): XF\Mvc\Reply\Error->validateErrorValue(NULL)
#1 src/XF/Mvc/Reply/Error.php(20): XF\Mvc\Reply\Error->setErrors(Array, false)
#2 src/XF/Mvc/Controller.php(444): XF\Mvc\Reply\Error->__construct(NULL, 200)
#3 src/XF/Pub/Controller/Member.php(1025): XF\Mvc\Controller->error(NULL)

userBanSaveProcess/actionBanSave/actionBanLift are similar.

This should be noPermission() not error() and there are a number of places which error() without checking $error is non-null. Likely the error() function should handle null.

 

[Aerosimit]

The question is, how to call that function as a guest?

 

[Xon]

The question is, how to call that function as a guest?

It is a url; it gets entered into a browser.