[OzzModz] Can't Report Own Content

[OzzModz] Can't Report Own Content 2.0.1

No permission to download
Overview Updates (1) Reviews (1) History Discussion
Looks like you're using template mods to hide the report button conditionally. Couple of thoughts on this: Using that approach would still allow people to send reports either by A) having a link to the report page for the content (which can technically be inferred from looking at the report link of other contents and the edit/delete link of the given content) or B) posting to the endpoint directly. It would probably be better to alter the canReport() function of the respective entities instead, something simple like the function below should do. That would also make sure it works with any type of 3rd party custom display that has its own report button.

PHP: 
public function canReport(&$error = null, User $asUser = null)
{
    $asUser = $asUser ?: \XF::visitor();
    return parent::canReport($error, $asUser) && $asUser->user_id !== $this->user_id;
}
 
Lukas W. said:
Looks like you're using template mods to hide the report button conditionally. Couple of thoughts on this: Using that approach would still allow people to send reports either by A) having a link to the report page for the content (which can technically be inferred from looking at the report link of other contents and the edit/delete link of the given content) or B) posting to the endpoint directly. It would probably be better to alter the canReport() function of the respective entities instead, something simple like the function below should do. That would also make sure it works with any type of 3rd party custom display that has its own report button.

PHP: 
public function canReport(&$error = null, User $asUser = null)
{
    $asUser = $asUser ?: \XF::visitor();
    return parent::canReport($error, $asUser) && $asUser->user_id !== $this->user_id;
}
Click to expand...

Thanks, I'll add this in the next version. Once I find all the right places.
 
ozzy47 said:
Once I find all the right places.
Click to expand...

You'd want to extend:
  • XF\Entity\Post
  • XF\Entity\ProfilePost
  • XF\Entity\ProfilePostComment
  • XF\Entity\ConversationMessage
If you want to support 1st party addons:
  • XFMG\Entity\Album
  • XFMG\Entity\MediaItem
  • XFMG\Entity\Comment
  • XFRM\Entity\ResourceUpdate
  • XFRM\Entity\ResourceRating

To extend XF\Entity\User, you'll need a slightly different function than the one above:

PHP: 
public function canReport(&$error = null)
{
    return parent::canReport($error) && \XF::visitor()->user_id !== $this->user_id;
}
 
Lukas W. said:
You'd want to extend:
  • XF\Entity\Post
  • XF\Entity\ProfilePost
  • XF\Entity\ProfilePostComment
  • XF\Entity\ConversationMessage
If you want to support 1st party addons:
  • XFMG\Entity\Album
  • XFMG\Entity\MediaItem
  • XFMG\Entity\Comment
  • XFRM\Entity\ResourceUpdate
  • XFRM\Entity\ResourceRating

To extend XF\Entity\User, you'll need a slightly different function than the one above:

PHP: 
public function canReport(&$error = null)
{
    return parent::canReport($error) && \XF::visitor()->user_id !== $this->user_id;
}
Click to expand...

Thank you, I appreciate the time and the help. :)
 
Lukas W. said:
To extend XF\Entity\User, you'll need a slightly different function than the one above:

PHP: 
public function canReport(&$error = null)
{
    return parent::canReport($error) && \XF::visitor()->user_id !== $this->user_id;
}
Click to expand...

There is a problem with the user entity, applying any trpe of check there removes the button in every profile. It's related to this XF bug report, https://xenforo.com/community/threa...an-be-reported-check-is-not-performed.178568/

So for the time being I am just going to have to use the TM for that.
 
You could combine that with the following extension for XF\Pub\Controller\Member to prevent bypassing that by accessing the route directly:

PHP: 
public function actionReport(ParameterBag $params)
{
    $user = $this->assertViewableUser($params->user_id);
    if($user->user_id === \XF::visitor()->user_id) {
        return $this->noPermission();
    }
    return parent::actionReport($params);
}
 
Lukas W. said:
You could combine that with the following extension for XF\Pub\Controller\Member to prevent bypassing that by accessing the route directly:

PHP: 
public function actionReport(ParameterBag $params)
{
    $user = $this->assertViewableUser($params->user_id);
    if($user->user_id === \XF::visitor()->user_id) {
        return $this->noPermission();
    }
    return parent::actionReport($params);
}
Click to expand...

That still does not fix the fact that extending the User entity causes the button to be removed from every users profile, not just the visitors. Also, combining that and extending XF\Pub\Controller\Member will not allow reporting anyone even accessing the url directly. It's a bug XF is going to have to fix in the User entity.
 
ozzy47 said:
That still does not fix the fact that extending the User entity causes the button to be removed from every users profile, not just the visitors. Also, combining that and extending XF\Pub\Controller\Member will not allow reporting anyone even accessing the url directly. It's a bug XF is going to have to fix in the User entity.
Click to expand...
Oh yeah, I was a bit unclear there, sorry. I meant combine that with your template modification to hide the button.
 
It'd be great if you can make the following location selectable.

  • Posts
  • Profile posts
  • Profiles
  • Conversation posts
 
You must log in or register to reply here.
Back
Top Bottom