1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed User's resources page doesn't show warning when there are no resources to display

Discussion in 'Resource Manager Resolved Bugs' started by rellect, Jun 7, 2014.

  1. rellect

    rellect Well-Known Member

    I was working on adding a new view permission and found this issue.

    I'll explain that by code example:
    PHP:
    class XenResource_ControllerPublic_Author extends XenForo_ControllerPublic_Abstract
    {
        ...
        public function 
    actionView()
        {
            ...
            foreach (
    $resources AS $key => $resource)
            {
                if (!
    $resourceModel->canViewResourceAndContainer($resource$resource))
                {
                    unset(
    $resources[$key]);
                }
            }
            ...
        }
        ...
    }
    The loop here filters the resources that the user don't have permission to see.
    The issue is that there is no check to ensure that there is something left in this array, and it's getting passed to the template as is.

    So, for example, User A has few resources.
    User B go to the resources page of User A, but he has no permission to view resources (permissions[resource][view]).
    The result is that User B can access to this page, but all the resources are filtered.

    ss.png
     
    Last edited: Jun 7, 2014
  2. Mike

    Mike XenForo Developer Staff Member

    The bug here is actually that what happened when you could view resources (generally) but not any categories. This lead to a case where no permission check was run on the query so it relied on that filtering. This could create a page nav unexpectedly as well in a few other places.

    I've changed the condition handler to handle being given an empty array of allowed category IDs (by implementing an always false condition) and this sorts it here and on the main resource page.

    Of course, giving no access to any category means that you really should just block the resources themselves at a general level otherwise you have a link that leads effectively to nothing.
     
    Bob likes this.

Share This Page