Permalink
Browse files

feature(hooks): Adds indication in container permissions hook of chec…

…king owner

For some reason ElggEntity::create checks the ability to write to the entity
owner, even if the owner will not be the entity’s container. In this case,
the container_permissions_check hook is called twice, and handlers cannot
tell which $params[‘container’] will actually be the entity container, and
which is really the owner being checked.

This introduces a flag $params[‘checking_owner’] to let handlers know that
$params[‘container’] is actually not the container of the entity being
created.

Fixes #8774
  • Loading branch information...
mrclay committed Jul 31, 2015
1 parent 4016059 commit 298b5231b549739a1a6fc831d249fa708310750d
Showing with 14 additions and 6 deletions.
  1. +4 −0 docs/guides/hooks-list.rst
  2. +6 −4 engine/classes/ElggEntity.php
  3. +4 −2 engine/lib/entities.php
@@ -195,6 +195,10 @@ Permission hooks
Return boolean for if the user ``$params['user']`` can use the entity ``$params['container']``
as a container for an entity of ``<entity_type>`` and subtype ``$params['subtype']``.
During entity creation, this may also be triggered for entity owner-to-be (where the owner will *not* be the
container). In this single case, ``$params['checking_owner']`` will be set to true. For all other cases, it
will be false, indicating that ``$params['container']`` will indeed be the entity's container.
**permissions_check, <entity_type>**
Return boolean for if the user ``$params['user']`` can edit the entity ``$params['entity']``.
@@ -1117,12 +1117,13 @@ public function canEditMetadata($metadata = null, $user_guid = 0) {
* @param int $user_guid The GUID of the user creating the entity (0 for logged in user).
* @param string $type The type of entity we're looking to write
* @param string $subtype The subtype of the entity we're looking to write
* @param string $checking Do not provide this argument. This is only to be used by ElggEntity::create.
*
* @return bool
* @see elgg_set_ignore_access()
*/
public function canWriteToContainer($user_guid = 0, $type = 'all', $subtype = 'all') {
return can_write_to_container($user_guid, $this->guid, $type, $subtype);
public function canWriteToContainer($user_guid = 0, $type = 'all', $subtype = 'all', $checking = '') {
return can_write_to_container($user_guid, $this->guid, $type, $subtype, $checking);
}
/**
@@ -1525,13 +1526,14 @@ protected function create() {
}
$owner = $this->getOwnerEntity();
if ($owner && !$owner->canWriteToContainer(0, $type, $subtype)) {
$checking = ($owner_guid === $container_guid) ? 'container' : 'owner';
if ($owner && !$owner->canWriteToContainer(0, $type, $subtype, $checking)) {
return false;
}
if ($owner_guid != $container_guid) {
$container = $this->getContainerEntity();
if ($container && !$container->canWriteToContainer(0, $type, $subtype)) {
if ($container && !$container->canWriteToContainer(0, $type, $subtype, 'container')) {
return false;
}
}
View
@@ -291,10 +291,11 @@ function update_subtype($type, $subtype, $class = '') {
* @param int $container_guid The container, or 0 for the current page owner.
* @param string $type The type of entity we want to create (default: 'all')
* @param string $subtype The subtype of the entity we want to create (default: 'all')
* @param string $checking Do not provide this argument. This is only to be used by ElggEntity::create.
*
* @return bool
*/
function can_write_to_container($user_guid = 0, $container_guid = 0, $type = 'all', $subtype = 'all') {
function can_write_to_container($user_guid = 0, $container_guid = 0, $type = 'all', $subtype = 'all', $checking = '') {
$container_guid = (int)$container_guid;
if (!$container_guid) {
$container_guid = elgg_get_page_owner_guid();
@@ -328,7 +329,8 @@ function can_write_to_container($user_guid = 0, $container_guid = 0, $type = 'al
array(
'container' => $container,
'user' => $user,
'subtype' => $subtype
'subtype' => $subtype,
'checking_owner' => ($checking === 'owner'),
),
$return);
}

0 comments on commit 298b523

Please sign in to comment.