New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WidgetsService::canEditLayout ignores passed in GUID checking admin #8945

Closed
mrclay opened this Issue Sep 16, 2015 · 0 comments

Comments

Projects
None yet
1 participant
@mrclay
Member

mrclay commented Sep 16, 2015

If you pass in a GUID, it only checks whether the current user is an admin (not the passed in user).
https://github.com/Elgg/Elgg/blob/2.x/engine/classes/Elgg/WidgetsService.php#L117

Could this be by design?

mrclay added a commit to mrclay/Elgg-leaf that referenced this issue Sep 16, 2015

fix(permissions): All permissions functions handle user fetches consi…
…stently

All permissions functions now find hidden/disabled users and, when a
given GUID isn't found, they return false and issue a warning. Previously,
only some functions issued warnings, and some functions would silently
substitute the logged in user if a given GUID couldn't load.

This also adds functionality to the internal entity getter allowing fetching
entities that may be hidden/disabled.

Fixes #8941
Fixes #8038
Fixes #8945

mrclay added a commit to mrclay/Elgg-leaf that referenced this issue Sep 17, 2015

fix(permissions): All permissions functions handle user fetches consi…
…stently

All permissions functions now find hidden/disabled users and, when a
given GUID isn't found, they return false and issue a warning. Previously,
only some functions issued warnings, and some functions would silently
substitute the logged in user if a given GUID couldn't load.

This also adds functionality to the internal entity getter allowing fetching
entities that may be hidden/disabled.

Fixes #8941
Fixes #8038
Fixes #8945

mrclay added a commit to mrclay/Elgg-leaf that referenced this issue Sep 20, 2015

fix(permissions): All permissions functions handle user fetches consi…
…stently

All permissions functions now find hidden/disabled users and, when a
given GUID isn't found, they return false and issue a warning. Previously,
only some functions issued warnings, and some functions would silently
substitute the logged in user if a given GUID couldn't load.

Fixes #8941
Fixes #8038
Fixes #8945

@mrclay mrclay closed this in #8944 Oct 26, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment