mahara-contributors team mailing list archive

[Julian Charles <668082@xxxxxxxxxxxxxxxxxx>]

** Description changed:

- Friendship request emails generated through an Admin account logged in
- as another user generate an incorrect parameter ID in the generated
- email URL. (user/sendmessage.php?id=30&replyto=104)
+ Emails generated through an Admin account logged in as another user
+ generate an incorrect parameter ID in the generated email URL.
+ (user/sendmessage.php?id=30&replyto=104)
  
  This causes an Access Denied Exception when the actual user clicks the
  link contained in the message.
  
  // Make sure the message was sent by the user being replied to
-     $bits = parse_url($replyto->url);
-     parse_str($bits['query'], $params);
-     if (empty($params['id']) || $params['id'] != $id) {
-         throw new AccessDeniedException(get_string('cantviewmessage', 'group'));
-     }
+     $bits = parse_url($replyto->url);
+     parse_str($bits['query'], $params);
+     if (empty($params['id']) || $params['id'] != $id) {
+         throw new AccessDeniedException(get_string('cantviewmessage', 'group'));
+     }
  }

-- 
Incorrect URL in friend requests as Admin (controlling other user)
https://bugs.launchpad.net/bugs/668082
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: New

Bug description:
Emails generated through an Admin account logged in as another user generate an incorrect parameter ID in the generated email URL. (user/sendmessage.php?id=30&replyto=104)

This causes an Access Denied Exception when the actual user clicks the link contained in the message.

// Make sure the message was sent by the user being replied to
    $bits = parse_url($replyto->url);
    parse_str($bits['query'], $params);
    if (empty($params['id']) || $params['id'] != $id) {
        throw new AccessDeniedException(get_string('cantviewmessage', 'group'));
    }
}