Fixed When reporting content, can be reported check is not performed

[TickTackk]

Affected version

2.1.8 PL2

When viewing member profile, "Report" button is hidden because it calls canBeReported() but when viewing a content created by the same user (read: member), the only check that is performed is canReport.

This also makes it super hard to distinguish between the reporter and the content owner.

Also the report button is just hidden but can be accessed directly. If this is indeed a bug and not marked as-designed then this affects Media Gallery and Resource Manager as well.

 

[Ozzy47]

I am suprised this has not been exposed before. Any user can report a admin by going to the URL directly.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.1.10).

Change log:

Correctly check permissions on user report page

There may be a delay before changes are rolled out to the XenForo Community.

 

[Chris D]

So just to clarify, the only bug here is that a staff member could be reported by going directly to the report URL.

When dealing with the User entity it's always slightly tricky because often there's a distinction between the user performing the action (the visitor) vs the user being acted upon. Due to this, there's some special cases in naming and some cases which aren't quite as clear because of the visitor/user distinction.

This User::canBeReported() method is actually one of those special cases and less clear scenarios.

User::canBeReported() is actually equivalent to Post::canReport() and MediaItem::canReport(). Each of them pertain to whether the content being reported can be reported.

User::canReport() however is to ascertain whether the visitor doing the report is allowed to.

Admittedly, seeing it in black and white, it's fairly obvious that what we should have had is User::canBeReported(), Post::canBeReported() and so on but that's hindsight for you