New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate logged-in-user magic from permission checks #8953
Comments
We might also type hint |
Transition might be tricky. We'd have to leave the default as |
I forgot that sometimes we may need to check also non-logged-in users. Could an empty ElggEntity object represent a non-logged in user? $container->canWriteToContainer(new ElggUser()); |
A long time ago I proposed a UserState value object with just a few methods (getUser, getGuid, isLoggedIn). The value is in eliminating ambiguity. null means you don't have it, and the API can fetch it for you. If you pass it in, the API knows you intend for that state to be used. Using a Something like this would be BC safe: function canEdit($user = ElggUser::NOT_GIVEN) {
// here we can safely distinguish between these values:
// ElggUser = logged in
// null = logged out
// ElggUser::NOT_GIVEN ('NOT_GIVEN') = pull it from session
// anything else = throw exception
} |
Eh, that's no good either, same problem as using 0. |
Using entityTable->getUserForPermissionsCheck() internally, this seems no longer a big problem. If it's really worth breaking a ton of API to be more strict, we can use something like this, which can unambiguously represent a logged out user. |
Going to leave this as is |
I don't think we should leave it as is |
for now we will... both ideas were not solving the issue. Can reopen this when there is something better |
Most of our permission checks default to the logged in user in case a user is not explicitly passed into the permission check functions.
Deprecating this feature will:
The text was updated successfully, but these errors were encountered: