Member::actionBan can cause a server error when a non-moderator touches it


Well-known member
Affected version
If a non-moderator (or guest) attempts to access members/ban, it instead causes a server error.

    public function canBan(&$error = null)
        $visitor = \XF::visitor();

        if (!$this->user_id || !$visitor->is_moderator || $this->user_id == $visitor->user_id)
            return false;
    public function userBanAddEdit(User $user)
        if (!$user->canBan($error))
            return $this->error($error);

$error will be null, which causes the error() function to throw the error:

InvalidArgumentException: The error value must be a string or an object which can be cast to a string src/XF/Mvc/Reply/Error.php:79
Stack trace
#0 src/XF/Mvc/Reply/Error.php(45): XF\Mvc\Reply\Error->validateErrorValue(NULL)
#1 src/XF/Mvc/Reply/Error.php(20): XF\Mvc\Reply\Error->setErrors(Array, false)
#2 src/XF/Mvc/Controller.php(444): XF\Mvc\Reply\Error->__construct(NULL, 200)
#3 src/XF/Pub/Controller/Member.php(1025): XF\Mvc\Controller->error(NULL)

userBanSaveProcess/actionBanSave/actionBanLift are similar.

This should be noPermission() not error() and there are a number of places which error() without checking $error is non-null. Likely the error() function should handle null.
Top Bottom