XF 2.2 Reacting on a post is possible when permissions have been removed

[SeToY]

Hi there,

just happened on my forums:

• User A opens a thread (not necessarily a new one)
• Admin removes permissions of User A to see that forum/category
• User A can still react to messages in that forum/category/thread

The way I see it, if a user doesn't have permission to see a forum, they shouldn't be allowed to react on posts within that forum.

 

[HotRodCarts]

If user A doesn't have permission to view that forum then he/she shouldn't be able to see the post to react to it.

 

[SeToY]

• User A opens a thread (not necessarily a new one)
• Admin removes permissions of User A to see that forum/category

 

[Nicolas FR]

If user A doesn't have permission to view that forum then he/she shouldn't be able to see the post to react to it.

 

[SeToY]

You really don't get it, do you? Astonishing.

 

[beerForo]

The probably reacted while the window was still open after you changed permissions.

 

[SeToY]

Exactly. Which shouldn't be possible with a proper permission check on the controller.

 

[Chris D]

a proper permission check on the controller

I agree. Except there is.

All of the default controller actions for reactions go through the Reaction controller plugin - this applies to all content types so it will be applied consistently.

Both the toggle and confirmation flows pass through the validateReactionAction method which performs the permission check:

if (!$content->canReact($error))
{
   throw $this->exception($this->noPermission($error));
}

Admittedly I haven't attempted to reproduce the issue yet to see exactly what the behaviour is yet but the code is pretty clear.

My working assumption if anything is wrong at all is perhaps the error is suppressed but in that case the reaction will still not be applied, even if the UI indicates it has.

Will check and report back.

 

[SeToY]

Thanks for your reply.

My working assumption if anything is wrong at all is perhaps the error is suppressed but in that case the reaction will still not be applied, even if the UI indicates it has.

That sounds reasonable, but I received an alert for it as well as confirmed that the content has received the reaction that was mentioned in the alert.

 

[Chris D]

This is what I get if I try to reproduce the exact steps you reported:



Which is the behaviour I expected.

I can't speak for why your experience was different but the code shouldn't allow it to happen.

It would have to be a faulty add-on or the conditions you described weren't quite what you expected.

 

[SeToY]

Alright, thank you for checking. I'll try to recreate it and will come back with more reliable reproduction steps

 

[Xon]

You sure this doesn't happen during between when the user has permission and then has not permission? While the permission change is atomic, it takes a bit of time for the new permissions to be computed between clicking the button and it actually applying.

 

[FTL]

@SeToY Does your bug report relate to the latest XF version 228?

Also, it might be worth stating what versions of PHP and database you're running on as it can all affect things like this.