Fixed XF\ControllerPlugin\Undelete doesn't calls the canUndelete method

[Kruzya]

Affected version

2.2.0 Beta 1

As said in thread.

For example, we have two members: admin and moderator. moderator doesn't can undelete, but can view deleted posts (if we check analyze permissions).
admin deletes some post, and moderator can view (but can't undelete). If moderator open the URL /posts/{post_id}/undelete, he can restore (undelete) post!

In XF\ControllerPlugin\Undelete we can see only method_exists() check, but method canUndelete will not be called anywhere in this action.

This "strange" behavior can be reproduced right here. This action is available for any user (include guest!) for any visible post/thread/resource:

Spoiler: Screenshots from Private Browser Window without login

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.1.11).

Change log:

Perform relevant permission check when attempting to undelete content using the Undelete controller plugin.

There may be a delay before changes are rolled out to the XenForo Community.

 

[Chris D]

Just to clarify, this strange behaviour isn't quite as bad as it might seem first of all.

In all cases you could have only displayed the undelete dialog if you could already view the content. To be clear, this means that a guest (or any non-moderator) wouldn't be able to actually undelete any content because guests can't view deleted content.

But, yes, moderators without the undelete permission may have been able to bypass the permission check in some cases as long as they appended /undelete onto the end of a content URL that they could already view.

We've applied the appropriate permission check and thus you should be able to confirm the issue is resolved.