Hi, I create a one-way relationship name "Fan". So users can be fan of others users. The one-way work great, user are able to be fan and remove relationship, but user are able to remove there fan.

Exemple,
User A is Fan of User B
User B is able to remove the One-way relationship of User A to Them.

Is it normal ? This should not be possible, Or it should be possible to deny from the settings in admin interface when configuring the relationship type with something like, "Deny the non-owner of relationship to delete relationship".

Is it possible to do it ?!?

Thanks in advance.

Files: 
CommentFileSizeAuthor
#10 user_relationships_1245796_oneway_relationship_deletion_10.patch820 bytesSimon Georges
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch user_relationships_1245796_oneway_relationship_deletion_10.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#5 user_relationships-oneway_permissions-1245796-5.patch1.06 KBgrasmash
PASSED: [[SimpleTest]]: [MySQL] 1,004 pass(es).
[ View ]

Comments

Berdir’s picture

You are right that there should be a way to configure this. Not sure if this is a bug though.

We're redesigning the permissions in #1115998: Revamp core and UI permissions, which adds a permission for maintaining relationships (approve/decline). It probably won't cover this case yet correctly but it could be a starting point. There will certainly nothing happen here before the linked issue is fixed, so please help there!

sw3b’s picture

Ok cool thanks !

sw3b’s picture

Could it be possible to add a permission that says "Delete follow relationships you to them" and "Delete follow relationships them to you" has an exemple. Maybe it more easy that way ?!?

Thanks for your help, I would like to help with code but i'm not there in my skill...maybe the idea is an option.

grasmash’s picture

@sw3b I'll share with you the way that I addressed this.

Here's my rationale: any user who does not have 'administer relationships' permission should not be able to delete oneway relationship requested by other users. Such users should not be able to control the non-reciprocal relationships of other users in any situation.

Rather than adding a new permission to address this issue, I just added an extra conditional to user_relationships_ui_check_access() in user_relationships_ui.module.

Replace this (~line 177):

<?php
   
case 'delete':
      if (
$account->uid == $user->uid && user_relationships_user_access('delete @relationship relationships', $relationship_type)) {
        return
TRUE;
      }
      break;
?>

With:

<?php
   
case 'delete':
      if (
is_object($relationship_type) && $relationship_type->is_oneway && $relationship_type->requestee_id == $user->uid) {
        return
FALSE;
      }
      if (
$account->uid == $user->uid && user_relationships_user_access('delete @relationship relationships', $relationship_type)) {
        return
TRUE;
      }
      break;
?>

Very simple change.

grasmash’s picture

Status:Active» Needs review
StatusFileSize
new1.06 KB
PASSED: [[SimpleTest]]: [MySQL] 1,004 pass(es).
[ View ]

Patch attached.

mrf’s picture

Status:Needs review» Reviewed & tested by the community

I think this is reasonable to include, and probably doesn't warrant a separate permission. If there is a future need for a separate permission it could be something along the lines of 'delete regardless of direction' leaving this as the default.

Patch looks good and works as expected.

Would love to see a 'ban' ability so that followed users aren't completely powerless here, but thats a task for another day.

sw3b’s picture

I agree with the BAN ! Maybe post a feature...

Berdir’s picture

Hm, fine with me. Can we have a comment line above that check that states what it's actually doing? Something along the lines of:

<?php
// Do not allow access if this is a oneway relationship requested by another user.
?>
MrQ’s picture

Is there a solution for D6?

EDIT:
Solved it. In user_relationships.tpl replaced this

$edit_access = ($user->uid == $account->uid && user_access('maintain own relationships')) || user_access('administer users');

with this


$edit_access = ($user->uid == $account->uid && user_access('maintain own relationships') && $relationship->requester->uid == $user->uid) || user_access('administer users');
Simon Georges’s picture

Status:Reviewed & tested by the community» Needs review
StatusFileSize
new820 bytes
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch user_relationships_1245796_oneway_relationship_deletion_10.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

Re-roll of the patch adding comment suggested by Berdir in #8, changing the patch to reflect the comment (by changing $relationship_type->requestee_id == $user->uid into $relationship_type->requester_id != $user->uid).

Please review.

Berdir’s picture

Status:Needs review» Fixed

Commited.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

kerby70’s picture