Steps

1) Enable Write new private messages for auth users
2) Enable Write private messages to relationships for auth users
3) Set Requires Approval for UR
4) Set Only allow sending messages between confirmed relationships. and Only suggest confirmed relationships as message recipients
5) Log in as auth user1
6) Send a friend request to user2
7) Go to messages
8) Type in user2
9) fill in message and send - message created

Files: 
CommentFileSizeAuthor
#1 user_relationships-privmsg_approved_test_only-1368666-1.patch6.03 KBJvE
FAILED: [[SimpleTest]]: [MySQL] 1,140 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#1 user_relationships-privmsg_approved-1368666-1.patch7.01 KBJvE
PASSED: [[SimpleTest]]: [MySQL] 1,141 pass(es).
[ View ]

Comments

Title:Can send message to non-confirmed friendshipCan send message to non-confirmed relationship
Status:Active» Needs review
StatusFileSize
new7.01 KB
PASSED: [[SimpleTest]]: [MySQL] 1,141 pass(es).
[ View ]
new6.03 KB
FAILED: [[SimpleTest]]: [MySQL] 1,140 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

The issue is that user_relationship_privatemsg_privatemsg_block_message() does not check if approval is required for a relationship.

I added test coverage for this issue to expose the flaw (patch #1).
And I added a fix for the issue (patch #2).

Thanks for this patch! I ran into this bug thinking it was our own privacy module that we've built that was allowing this to happen, but after setting up a vanilla drupal install and enabling these two modules, I noticed it was happening there as well. Testing this patch to see if it fixes the bug. Will report back.

I guess I'm a little late on reporting back...

The patch fixed the issue on a regular Drupal install but unfortunately not on our project. But, it works for normal websites! So there's that.

Status:Needs review» Reviewed & tested by the community

Thank you !

Status:Reviewed & tested by the community» Fixed

Wow, a patch with tests *and* a test-only patch in the UR issue queue :p I must be dreaming :)

Nice work, commited and pushed!

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.