Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[com_messages] Add recipient permission check #1146

Closed
jgerman-bot opened this issue Jun 28, 2020 · 0 comments · Fixed by #1150
Closed

[com_messages] Add recipient permission check #1146

jgerman-bot opened this issue Jun 28, 2020 · 0 comments · Fixed by #1150
Assignees
@tecpromotion
Labels
core language change Joomla! 3.x

Comments

@jgerman-bot
Copy link

New language relevant PR in upstream repo: joomla/joomla-cms#29566 Here are the upstream changes:

Click to expand the diff! 
diff --git a/administrator/components/com_messages/models/message.php b/administrator/components/com_messages/models/message.php
index e0fad991fac0..823a4043d185 100644
--- a/administrator/components/com_messages/models/message.php
+++ b/administrator/components/com_messages/models/message.php
@@ -322,6 +322,17 @@ public function save($data)
 			return false;
 		}
 
+		// Load the user details (already valid from table check).
+		$toUser = \JUser::getInstance($table->user_id_to);
+
+		// Check if recipient can access com_messages.
+		if (!$toUser->authorise('core.login.admin') || !$toUser->authorise('core.manage', 'com_messages'))
+		{
+			$this->setError(\JText::_('COM_MESSAGES_ERROR_RECIPIENT_NOT_AUTHORISED'));
+
+			return false;
+		}
+
 		// Load the recipient user configuration.
 		$model  = JModelLegacy::getInstance('Config', 'MessagesModel', array('ignore_request' => true));
 		$model->setState('user.id', $table->user_id_to);
@@ -351,9 +362,7 @@ public function save($data)
 
 		if ($config->get('mail_on_new', true))
 		{
-			// Load the user details (already valid from table check).
 			$fromUser         = JUser::getInstance($table->user_id_from);
-			$toUser           = JUser::getInstance($table->user_id_to);
 			$debug            = JFactory::getConfig()->get('debug_lang');
 			$default_language = JComponentHelper::getParams('com_languages')->get('administrator');
 			$lang             = JLanguage::getInstance($toUser->getParam('admin_language', $default_language), $debug);
diff --git a/administrator/language/en-GB/en-GB.com_messages.ini b/administrator/language/en-GB/en-GB.com_messages.ini
index 790445f5c5af..954c6c7f9c7a 100644
--- a/administrator/language/en-GB/en-GB.com_messages.ini
+++ b/administrator/language/en-GB/en-GB.com_messages.ini
@@ -18,6 +18,7 @@ COM_MESSAGES_ERROR_INVALID_TO_USER="Invalid recipient"
 COM_MESSAGES_ERROR_MISSING_ROOT_ASSET_GROUPS="Missing root asset groups to send notification."
 COM_MESSAGES_ERROR_NO_GROUPS_SET_AS_SUPER_USER="There are no groups set with super user permissions."
 COM_MESSAGES_ERROR_NO_USERS_SET_AS_SUPER_USER="There are no users set with super user permissions."
+COM_MESSAGES_ERROR_RECIPIENT_NOT_AUTHORISED="Recipient is not authorised to receive messages."
 COM_MESSAGES_FIELD_AUTO_PURGE_DESC="Automatically delete private messages after the given number of days."
 COM_MESSAGES_FIELD_AUTO_PURGE_LABEL="Auto-delete Messages (days)"
 COM_MESSAGES_FIELD_DATE_TIME_LABEL="Posted"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tecpromotion tecpromotion

Labels
core language change Joomla! 3.x
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[com_messages] Add recipient permission check tecpromotion/joomla
3 participants
@tecpromotion @zero-24 @jgerman-bot