• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Resource edit permission check is incorrect in some cases


Well-known member
The canEditResource method will not work correctly if user has no permission to edit own resources, but has permission to edit resources by anyone.

I suggest to change this method (and possibly others) in this way

public function canEditResource(array $resource, array $category, &$errorPhraseKey = '', array $viewingUser = null)
        if (!$viewingUser['user_id'])
            return false;
        $updateSelf = false;
        if ($resource['user_id'] == $viewingUser['user_id'])
            $updateSelf = XenForo_Permission::hasPermission($viewingUser['permissions'], 'resource', 'updateSelf');
        return $updateSelf || XenForo_Permission::hasPermission($viewingUser['permissions'], 'resource', 'editAny');