- Affected version
- 2.2.12
\XF\ControllerPlugin\Reaction::actionReactions
This code fetches the reactions and passes them through to the view without checking
So if this method is modified by a class extension it won't have any effect here, effectively displaying reactions probably that should not be viewable.
It would be great if this could be modified so
PHP:
$reactionsFinder = $reactionRepo->findContentReactions($contentType, $contentId, $reactionId)
->limitByPage($page, $perPage, 1);
$reactions = $reactionsFinder->fetch();
if (!count($reactions))
{
return $this->message(\XF::phrase('no_one_has_reacted_to_this_content_yet'));
}
$hasNext = count($reactions) > $perPage;
$reactions = $reactions->slice(0, $perPage);
$tabSummary = $reactionRepo->getContentTabSummary($contentType, $contentId);
$viewParams = [
[...]
'reactions' => $reactions,This code fetches the reactions and passes them through to the view without checking
canView on the entity.So if this method is modified by a class extension it won't have any effect here, effectively displaying reactions probably that should not be viewable.
It would be great if this could be modified so
canView does get checked, maybe similar to what is done in XF\Pub\Controller\Account:
PHP:
$reactions = $reactions->filter(function(\XF\Entity\ReactionContent $reaction)
{
return $reaction->canView() && $reaction->isRenderable();
});