Fixed XF\Api\Controller::assertViewableAlert does not respect \XF::isApiCheckingPermissions()

TickTackk

TickTackk

Well-known member
Affected version
2.2.1
This:
PHP: 
        if (!$alert->canView())
        {
            throw $this->noPermission();
        }
should be:
PHP: 
        if (\XF::isApiCheckingPermissions() && !$alert->canView())
        {
            throw $this->noPermission();
        }
 
XF Bug Bot

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.2).

Change log:
Respect API permission bypass when checking alert viewability
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

mattrogowski
Media inside deleted category albums remain accessible by direct URL
Replies
0
Views
119
mattrogowski
mattrogowski
X
Fixed Post::getTypePermissionConstraints does not cull all nodes a user can't view threads in
Replies
1
Views
333
XF Bug Bot
XF Bug Bot
mattrogowski
Fixed Moving an album out of a category makes it inaccessible
Replies
1
Views
587
XF Bug Bot
XF Bug Bot
DragonByte Tech
Fixed XF\Api\Controller\Alert :: assertViewableAlert has two coding errors
Replies
1
Views
905
XF Bug Bot
XF Bug Bot
Externalizable
Fixed Deleted users will have their threads revealed to the public
Replies
12
Views
944
XF Bug Bot
XF Bug Bot
Top