← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #01993

Re: [Bug 668082] Re: Incorrect URL in friend requests as Admin (controlling other user)

  Thread PreviousDate PreviousThread Next 
Hi Ruslin,

Our user has a multiple instance of the same user and I believe this is 
actually what is causing the error.
I'm still investigating and I think that this has something to with the 
users session.

Thank you for your response. I will contact you with further information 
once I can confirm that this is the case.

Thanks
JC

On 10-10-29 2:17 AM, Ruslan Kabalin wrote:
> Hi Julian,
>
> As far as I can see, there is no direct sendmessage link in the
> automatic email generated on friendship request, only the link to the
> user profile (e.g. .../user/view.php?id=2).
>
> Which version of Mahara do you use?
>


-- 

Julian Charles
Web Developer
e-Lab Project
Ph: 780-392-1204
Cel: 780-721-0469
email: jcharles@xxxxxxxxxxxxx


__ 
    This communication is intended for the use of the recipient to whom it
    is addressed, and may contain confidential, personal, and or privileged
    information. Please contact us immediately if you are not the intended
    recipient of this communication, and do not copy, distribute, or take
    action relying on it. Any communications received in error, or
    subsequent reply, should be deleted or destroyed.
---

-- 
Incorrect URL in friend requests as Admin (controlling other user)
https://bugs.launchpad.net/bugs/668082
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: New

Bug description:
Friendship request emails generated through an Admin account logged in as another user generate an incorrect parameter ID in the generated email URL. (user/sendmessage.php?id=30&replyto=104)

This causes an Access Denied Exception when the actual user clicks the link contained in the message.

// Make sure the message was sent by the user being replied to
    $bits = parse_url($replyto->url);
    parse_str($bits['query'], $params);
    if (empty($params['id']) || $params['id'] != $id) {
        throw new AccessDeniedException(get_string('cantviewmessage', 'group'));
    }
}

References

  Thread PreviousDate PreviousThread Next