mahara-contributors team mailing list archive

[Julian Charles <668082@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Friendship request emails generated through an Admin account logged in
as another user generate an incorrect parameter ID in the generated
email URL. (user/sendmessage.php?id=30&replyto=104)

This causes an Access Denied Exception when the actual user clicks the
link contained in the message.

// Make sure the message was sent by the user being replied to
    $bits = parse_url($replyto->url);
    parse_str($bits['query'], $params);
    if (empty($params['id']) || $params['id'] != $id) {
        throw new AccessDeniedException(get_string('cantviewmessage', 'group'));
    }
}

** Affects: mahara
     Importance: Undecided
         Status: New

-- 
Incorrect URL in friend requests as Admin (controlling other user)
https://bugs.launchpad.net/bugs/668082
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: New

Bug description:
Friendship request emails generated through an Admin account logged in as another user generate an incorrect parameter ID in the generated email URL. (user/sendmessage.php?id=30&replyto=104)

This causes an Access Denied Exception when the actual user clicks the link contained in the message.

// Make sure the message was sent by the user being replied to
    $bits = parse_url($replyto->url);
    parse_str($bits['query'], $params);
    if (empty($params['id']) || $params['id'] != $id) {
        throw new AccessDeniedException(get_string('cantviewmessage', 'group'));
    }
}