Fixed Resource edit permission check is incorrect in some cases

Pepelac

Well-known member
#1
The canEditResource method will not work correctly if user has no permission to edit own resources, but has permission to edit resources by anyone.

I suggest to change this method (and possibly others) in this way

PHP:
public function canEditResource(array $resource, array $category, &$errorPhraseKey = '', array $viewingUser = null)
    {
        $this->standardizeViewingUserReference($viewingUser);
 
        if (!$viewingUser['user_id'])
        {
            return false;
        }
 
        $updateSelf = false;
        if ($resource['user_id'] == $viewingUser['user_id'])
        {
            $updateSelf = XenForo_Permission::hasPermission($viewingUser['permissions'], 'resource', 'updateSelf');
        }
 
        return $updateSelf || XenForo_Permission::hasPermission($viewingUser['permissions'], 'resource', 'editAny');
    }
 
Top