Fixed Reaction controller plugin doesn't check canView on the ReactionContent entity

K

Kirby

Well-known member
Affected version
2.2.12
\XF\ControllerPlugin\Reaction::actionReactions

PHP: 
$reactionsFinder = $reactionRepo->findContentReactions($contentType, $contentId, $reactionId)
    ->limitByPage($page, $perPage, 1);

$reactions = $reactionsFinder->fetch();

if (!count($reactions))
{
    return $this->message(\XF::phrase('no_one_has_reacted_to_this_content_yet'));
}

$hasNext = count($reactions) > $perPage;
$reactions = $reactions->slice(0, $perPage);

$tabSummary = $reactionRepo->getContentTabSummary($contentType, $contentId);

$viewParams = [
    [...]
    'reactions' => $reactions,

This code fetches the reactions and passes them through to the view without checking canView on the entity.
So if this method is modified by a class extension it won't have any effect here, effectively displaying reactions probably that should not be viewable.

It would be great if this could be modified so canView does get checked, maybe similar to what is done in XF\Pub\Controller\Account:
PHP: 
$reactions = $reactions->filter(function(\XF\Entity\ReactionContent $reaction)
{
    return $reaction->canView() && $reaction->isRenderable();
});
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.0 RC 5).

Change log:
Check if a reaction can be viewed before displaying it when using the ReactionPlugin
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

X
Fixed Changing content_user_id field on \XF\Entity\ReactionContent results in previous user's reaction score increasing
Replies
1
Views
1K
XF Bug Bot
XF Bug Bot
Back
Top Bottom