- Affected version
- 2.0.10
This may be 'as designed', but when handling a payment received from a payment provider the XF visitor is still set to a guest when running the user upgrade.
This makes any permission checks based on the ambient visitor likely to not work as expected, especially for 3rd party extensions. Especially as
:edit:
This makes any permission checks based on the ambient visitor likely to not work as expected, especially for 3rd party extensions. Especially as
canPurchase
is used in the GUI where you expect it to work off the current user.:edit:
In XF\Service\User\Upgrade::upgrade()
canPurchase
is called. It looks like the stock canPurchase
always return true since the user_id == 0, and that will (should?) never have an Active
entry.
Code:
public function canPurchase()
{
$visitor = \XF::visitor();
return ($this->can_purchase && !isset($this->Active[$visitor->user_id]));
}
Last edited: