Fixed Notable Members links ignoring permission limits

[Sidane]

Affected version

2.x

On the Notable Members page, when viewing a list of members, the sidebar "Members" list shows all links regardless of permission limits.

To Reproduce

• Create a new Member Statistics in the Admin CP, the search criteria aren't important
• Add a "Permission limit" which excludes guest users (e.g. Post new thread)
• Save the new Statistic
• View the Notable Members page as a guest user and click on any link in the sidebar (e.g. Most messages)
• A link to the newly created Member Statistics will be visible in the sidebar when it should not be

Clicking on the link restricts access correctly so the data itself is not visible, but the link should not be there. In the image below, "New Members List" shouldn't be visible unless logged in.

Looking at XF\Pub\Controller\Member I believe the issue is around line #48.

$memberStats = $memberStatRepo
  ->findMemberStatsForDisplay()
  ->fetch();

$memberStats is not being filtered based on user permissions, so it should be something like:

$memberStats = $memberStatRepo
  ->findMemberStatsForDisplay()
  ->fetch()
  ->filterViewable();

Also, this change would make line #111 redundant:

$memberStats = $memberStats->filterViewable();

 

[XF Bug Bot]

Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.0.13).

Change log:

Fix member stat titles being displayed in some scenarios without permission

Any changes made as a result of this issue being resolved may not be rolled out here until later.