If you have approval turned on it is possible to request and add users to your buddylist who in turn do not have the "maintain buddylist" user permission. When approval is enabled both users should have the required permissions.
Here is a patch to correct this. Its does the following.
1. prevents the add action when viewing the user if the above conditions exist
2. as a fail safe makes the same sanity check in the handler for buddy/add since you can get to this via the correct URL
For non approval mode I made the assumption that its fine to add a user who in turn can't maintain their own buddylist.
Comment | File | Size | Author |
---|---|---|---|
check_perms_before_add.txt | 1.45 KB | dldege |
Comments
Comment #1
dldege CreditAttribution: dldege commentedComment #2
dldege CreditAttribution: dldege commentedThis is still a problem.
I'm starting a new site with the 1.0 release and I have some users who are in the networking role and some that are not. That is, some users have the "maintain buddylist" permission and some don't. You should not be able to invite a user who does not have that permission when using the approval required mode since the user you are inviting is not allowed to have a buddylist.
Comment #3
dldege CreditAttribution: dldege commentedComment #4
(not verified) CreditAttribution: commented