• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Resource edit permission check is incorrect in some cases

Pepelac

Well-known member
#1
The canEditResource method will not work correctly if user has no permission to edit own resources, but has permission to edit resources by anyone.

I suggest to change this method (and possibly others) in this way

PHP:
public function canEditResource(array $resource, array $category, &$errorPhraseKey = '', array $viewingUser = null)
    {
        $this->standardizeViewingUserReference($viewingUser);
 
        if (!$viewingUser['user_id'])
        {
            return false;
        }
 
        $updateSelf = false;
        if ($resource['user_id'] == $viewingUser['user_id'])
        {
            $updateSelf = XenForo_Permission::hasPermission($viewingUser['permissions'], 'resource', 'updateSelf');
        }
 
        return $updateSelf || XenForo_Permission::hasPermission($viewingUser['permissions'], 'resource', 'editAny');
    }