If you have approval turned on it is possible to request and add users to your buddylist who in turn do not have the "maintain buddylist" user permission. When approval is enabled both users should have the required permissions.

Here is a patch to correct this. Its does the following.

1. prevents the add action when viewing the user if the above conditions exist
2. as a fail safe makes the same sanity check in the handler for buddy/add since you can get to this via the correct URL

For non approval mode I made the assumption that its fine to add a user who in turn can't maintain their own buddylist.

CommentFileSizeAuthor
check_perms_before_add.txt1.45 KBdldege
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dldege’s picture

dldege CreditAttribution: dldege commented
Priority: Normal » Critical
dldege’s picture

dldege CreditAttribution: dldege commented

This is still a problem.

I'm starting a new site with the 1.0 release and I have some users who are in the networking role and some that are not. That is, some users have the "maintain buddylist" permission and some don't. You should not be able to invite a user who does not have that permission when using the approval required mode since the user you are inviting is not allowed to have a buddylist.

dldege’s picture

dldege CreditAttribution: dldege commented
Status: Needs review » Fixed
Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)