Ticket #334 (closed defect: fixed)

Opened 5 months ago

Last modified 5 months ago

I can upload files into any friend's file area

Reported by: kevin Assigned to: nobody
Priority: high Milestone: 0.9.2
Component: core Version: 0.9.0
Severity: critical Keywords:
Cc: Patch Included: 1
Review Stage: reviewed

Description (Last modified by misja)

All I need to do to upload files into anyone's file area is to make them my friend. This is using the latest (post 0.9.1) code from SVN.

See:

http://elgg.org/mod/vanillaforum/vanilla/comments.php?DiscussionID=1347

To fix this:

change line 20

in /mod/community/lib/community_membership_check.php

from

WHERE f.owner = ? AND f.friend = ?',array($page_owner,$community_owner)

to

WHERE f.owner = ? AND f.friend = ? AND u.user_type = "community"',array($page_owner,$community_owner)

Change History

03/28/08 22:31:33 changed by kevin

Actually, I think

WHERE f.owner = ? AND f.friend = ? AND u.user_type =?' ,array($page_owner,$community_owner,'community')

would be even better and is basically the same as the (correct) code in Elgg 0.8

03/28/08 22:33:09 changed by kevin

see

/mod/community/lib/permissions_check.php

in Elgg 0.8

03/31/08 07:43:18 changed by misja

  • status changed from new to closed.
  • review_stage changed from unreviewed to reviewed.
  • resolution set to fixed.
  • description changed.
  • milestone changed from 0.9.1 to 0.9.2.

Thanks Kevin, odd how this may have slipped in, corrected in r1575