Fixed User's resources page doesn't show warning when there are no resources to display

R

refael

Well-known member
I was working on adding a new view permission and found this issue.

I'll explain that by code example:
PHP: 
class XenResource_ControllerPublic_Author extends XenForo_ControllerPublic_Abstract
{
    ...
    public function actionView()
    {
        ...
        foreach ($resources AS $key => $resource)
        {
            if (!$resourceModel->canViewResourceAndContainer($resource, $resource))
            {
                unset($resources[$key]);
            }
        }
        ...
    }
    ...
}

The loop here filters the resources that the user don't have permission to see.
The issue is that there is no check to ensure that there is something left in this array, and it's getting passed to the template as is.

So, for example, User A has few resources.
User B go to the resources page of User A, but he has no permission to view resources (permissions[resource][view]).
The result is that User B can access to this page, but all the resources are filtered.

ss.webp
 
Last edited:
The bug here is actually that what happened when you could view resources (generally) but not any categories. This lead to a case where no permission check was run on the query so it relied on that filtering. This could create a page nav unexpectedly as well in a few other places.

I've changed the condition handler to handle being given an empty array of allowed category IDs (by implementing an always false condition) and this sorts it here and on the main resource page.

Of course, giving no access to any category means that you really should just block the resources themselves at a general level otherwise you have a link that leads effectively to nothing.
 

Similar threads

Alpha1
Add a field to resources to clearly indicate if there are callbacks to the developers server or not.
Replies
13
Views
962
Mike
Mike
Back
Top Bottom