1. 2 user types
  2. One-way relationship
  3. Both have 100% permissions (have, maintain, request, delete + view own in UI)
  4. Requester requests, receiver accepts
  5. Receiver goes to /user/[uid]/relationships/[rtid]

Notice: Undefined property: stdClass::$requester_id in user_relationships_ui_check_access() (line 172 of *\sites\all\modules\user_relationships\user_relationships_ui\user_relationships_ui.module).

Looks like a bug in the logic here in user_relationships_ui_check_access()

    case 'delete':
      // Do not allow access if this is a oneway relationship requested by another user.
      if (is_object($relationship_type) && $relationship_type->is_oneway && $relationship_type->requester_id != $user->uid) {
        return FALSE;

You could probably make the Notice go away by first checking for the existence of the requester_id property, but this raises 2 questions:

  1. Why is $relationship_type->requester_id not set?
  2. Why "Do not allow access if this is a oneway relationship requested by another user."?

Permissions say the receiver of request user should be able to "Delete x relationships" -- why is there logic here that explicitly prevents that?

#2 user_relationships-php_notice_and_oneway_logic-1898026-1.patch1.26 KBtmsimont
PASSED: [[SimpleTest]]: [MySQL] 1,047 pass(es).
[ View ]


tmsimont’s picture

Status:Active» Needs review

Removing troublesome block of code works, and retains the "delete @relationship relationships" permission setting, but still leaves the question: why was this logic there in the first place?

tmsimont’s picture

new1.26 KB
PASSED: [[SimpleTest]]: [MySQL] 1,047 pass(es).
[ View ]

attach fail

tmsimont’s picture

Status:Needs review» Closed (duplicate)

closing as duplicate of #1328170: Maintain, Delete and Request permissions problems -- there are bigger permissions problems that are all related