Prevent group creation by silenced users.

* adds Right::CREATEGROUP * logic in Profile::hasRight() checks for silencing * NewgroupAction checks for the permission before letting you see or process the form in the UI * User_group::register() logic does a low-level check on the specified initial group admin, and rejects creation if that user doesn't have the right; guaranteeing that API methods etc will also have this restriction applied sensibly.

Prevent group creation by silenced users.
* adds Right::CREATEGROUP * logic in Profile::hasRight() checks for silencing * NewgroupAction checks for the permission before letting you see or process the form in the UI * User_group::register() logic does a low-level check on the specified initial group admin, and rejects creation if that user doesn't have the right; guaranteeing that API methods etc will also have this restriction applied sensibly.
d3d97974 · Brion Vibber · 46123e37 · d3d97974 · d3d97974 · d3d97974
Commit d3d97974 authored Dec 28, 2010 by Brion Vibber
Showing with 19 additions and 0 deletions

actions/newgroup.php actions/newgroup.php +7 -0

classes/Profile.php classes/Profile.php +1 -0

classes/User_group.php classes/User_group.php +10 -0

lib/right.php lib/right.php +1 -0

No files found.
--- a/actions/newgroup.php
+++ b/actions/newgroup.php
@@ -66,6 +66,13 @@ class NewgroupAction extends Action
            return false;
        }
+        $user = common_current_user();
+        $profile = $user->getProfile();
+        if (!$profile->hasRight(Right::CREATEGROUP)) {
+            // TRANS: Client exception thrown when a user tries to create a group while banned.
+            throw new ClientException(_('You are not allowed to create groups on this site.'), 403);
+        }
        return true;
    }

--- a/classes/Profile.php
+++ b/classes/Profile.php
@@ -909,6 +909,7 @@ class Profile extends Memcached_DataObject
            case Right::NEWNOTICE:
            case Right::NEWMESSAGE:
            case Right::SUBSCRIBE:
+            case Right::CREATEGROUP:
                $result = !$this->isSilenced();
                break;
            case Right::PUBLICNOTICE:

--- a/classes/User_group.php
+++ b/classes/User_group.php
@@ -465,6 +465,16 @@ class User_group extends Memcached_DataObject
    }
    static function register($fields) {
+        if (!empty($fields['userid'])) {
+            $profile = Profile::staticGet('id', $fields['userid']);
+            if ($profile && !$profile->hasRight(Right::CREATEGROUP)) {
+                common_log(LOG_WARNING, "Attempted group creation from banned user: " . $profile->nickname);
+                // TRANS: Client exception thrown when a user tries to create a group while banned.
+                throw new ClientException(_('You are not allowed to create groups on this site.'), 403);
+            }
+        }
        // MAGICALLY put fields into current scope
        extract($fields);

--- a/lib/right.php
+++ b/lib/right.php
@@ -61,5 +61,6 @@ class Right
    const GRANTROLE          = 'grantrole';
    const REVOKEROLE         = 'revokerole';
    const DELETEGROUP        = 'deletegroup';
+    const CREATEGROUP        = 'creategroup';
 }