mahara-contributors team mailing list archive

Thread
Date

[Bug 668082] Re: Incorrect URL in friend requests as Admin (controlling other user)

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Julian Charles <668082@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Oct 2010 22:55:43 -0000
Reply-to: Bug 668082 <668082@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Resolution is to check if the current user is admin but acting as pseudo
for the account making the request. If the current user is Admin as
pseudo use the pseudo account ID.

-- 
Incorrect URL in friend requests as Admin (controlling other user)
https://bugs.launchpad.net/bugs/668082
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: New

Bug description:
Friendship request emails generated through an Admin account logged in as another user generate an incorrect parameter ID in the generated email URL. (user/sendmessage.php?id=30&replyto=104)

This causes an Access Denied Exception when the actual user clicks the link contained in the message.

// Make sure the message was sent by the user being replied to
    $bits = parse_url($replyto->url);
    parse_str($bits['query'], $params);
    if (empty($params['id']) || $params['id'] != $id) {
        throw new AccessDeniedException(get_string('cantviewmessage', 'group'));
    }
}

References

[Bug 668082] [NEW] Incorrect URL in friend requests as Admin (controlling other user)
From: Julian Charles, 2010-10-28