Fixed Users can bump each other out of conversations under certain circumstances

Affected version
<= 2.2.0 Beta 1

PaulB

Active member
This was initially submitted as a potential security vulnerability via the contact form, but it was deemed to be a standard bug, not a vulnerability.

Under certain circumstances, users can bump each other out of conversations. When this happens, there is no way for a user to rejoin the conversation.
  1. Alice and Bob are in a conversation with a number of other people.
  2. Alice no longer wants Bob to be in the conversation.
  3. Alice convinces Bob to ignore her. (It's not hard to imagine that this is difficult to achieve if they're already on bad terms.)
  4. Alice adds Bob to the conversation that he's already in.
  5. Because Bob ignores Alice, Bob's recipient_state is set to deleted_ignored.
  6. Bob has no way to rejoin the conversation, and nobody can add him back.
This is caused by the logic in the insertRecipients of the Conversation repository:
  1. Even though Bob is already in the conversation, he's included in the $recipientUsers array.
  2. Because Bob->isIgnoring(Alice) is true, $state will be set to deleted_ignored.
  3. $recipient->recipient_state != $state because $state is now 'deleted_ignored', so the recipient_state is overwritten.
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.0 Beta 5).

Change log:
Do not allow ignored users to remove others from conversations
There may be a delay before changes are rolled out to the XenForo Community.
 
Top