Please sign in to comment.
fix(entities): Entity creation no longer needlessly checks owner cont…
…ainer BREAKING CHANGE: When creating within a group, ElggEntity::create used to always separately check if the current user can use the owner's account as a container. This made sure that one group member could not post to the group using another member as owner. This separate check led to confusion, as handlers of the container_permissions_check hook were told that the owner was to be the container, when it was actually the group. Here we bypass the separate owner container check if the desired owner_guid is the logged in user GUID. This eliminates the check under all normal circumstances but leaves it in place in case a poorly coded plugin allows the impersonation described above. This also denies creation if the owner/container GUIDs are set but can't be loaded. Before, create() would simply bypass the permissions check if it couldn't load the owner/container. Fixes #4231
- Loading branch information...
Showing with 42 additions and 7 deletions.