1) Enable Write new private messages for auth users
2) Enable Write private messages to relationships for auth users
3) Set Requires Approval for UR
4) Set Only allow sending messages between confirmed relationships. and Only suggest confirmed relationships as message recipients
5) Log in as auth user1
6) Send a friend request to user2
7) Go to messages
8) Type in user2
9) fill in message and send - message created

Members fund testing for the Drupal project. Drupal Association Learn more


JvE’s picture

Title: Can send message to non-confirmed friendship » Can send message to non-confirmed relationship
Status: Active » Needs review
7.01 KB
6.03 KB

The issue is that user_relationship_privatemsg_privatemsg_block_message() does not check if approval is required for a relationship.

I added test coverage for this issue to expose the flaw (patch #1).
And I added a fix for the issue (patch #2).

mike.roberts’s picture

Thanks for this patch! I ran into this bug thinking it was our own privacy module that we've built that was allowing this to happen, but after setting up a vanilla drupal install and enabling these two modules, I noticed it was happening there as well. Testing this patch to see if it fixes the bug. Will report back.

mike.roberts’s picture

I guess I'm a little late on reporting back...

The patch fixed the issue on a regular Drupal install but unfortunately not on our project. But, it works for normal websites! So there's that.

DuaelFr’s picture

Status: Needs review » Reviewed & tested by the community

Thank you !

Berdir’s picture

Status: Reviewed & tested by the community » Fixed

Wow, a patch with tests *and* a test-only patch in the UR issue queue :p I must be dreaming :)

Nice work, commited and pushed!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.