One-way relationship remove by any user implied in the relationship

You are right that there should be a way to configure this. Not sure if this is a bug though.

We're redesigning the permissions in #1115998: Revamp core and UI permissions, which adds a permission for maintaining relationships (approve/decline). It probably won't cover this case yet correctly but it could be a starting point. There will certainly nothing happen here before the linked issue is fixed, so please help there!

@sw3b I'll share with you the way that I addressed this.

Here's my rationale: any user who does not have 'administer relationships' permission should not be able to delete oneway relationship requested by other users. Such users should not be able to control the non-reciprocal relationships of other users in any situation.

Rather than adding a new permission to address this issue, I just added an extra conditional to user_relationships_ui_check_access() in user_relationships_ui.module.

Replace this (~line 177):

    case 'delete':
      if ($account->uid == $user->uid && user_relationships_user_access('delete @relationship relationships', $relationship_type)) {
        return TRUE;
      }
      break;

With:

    case 'delete':
      if (is_object($relationship_type) && $relationship_type->is_oneway && $relationship_type->requestee_id == $user->uid) {
        return FALSE;
      }
      if ($account->uid == $user->uid && user_relationships_user_access('delete @relationship relationships', $relationship_type)) {
        return TRUE;
      }
      break;

Very simple change.

Patch attached.

I think this is reasonable to include, and probably doesn't warrant a separate permission. If there is a future need for a separate permission it could be something along the lines of 'delete regardless of direction' leaving this as the default.

Patch looks good and works as expected.

Would love to see a 'ban' ability so that followed users aren't completely powerless here, but thats a task for another day.

Hm, fine with me. Can we have a comment line above that check that states what it's actually doing? Something along the lines of:

// Do not allow access if this is a oneway relationship requested by another user.

Is there a solution for D6?

EDIT:
Solved it. In user_relationships.tpl replaced this

$edit_access = ($user->uid == $account->uid && user_access('maintain own relationships')) || user_access('administer users');

with this

$edit_access = ($user->uid == $account->uid && user_access('maintain own relationships') && $relationship->requester->uid == $user->uid) || user_access('administer users');

Re-roll of the patch adding comment suggested by Berdir in #8, changing the patch to reflect the comment (by changing $relationship_type->requestee_id == $user->uid into $relationship_type->requester_id != $user->uid).

Please review.

Commited.