1. 2 user types
  2. One-way relationship
  3. Both have 100% permissions (have, maintain, request, delete + view own in UI)
  4. Requester requests, receiver accepts
  5. Receiver goes to /user/[uid]/relationships/[rtid]

Notice: Undefined property: stdClass::$requester_id in user_relationships_ui_check_access() (line 172 of *\sites\all\modules\user_relationships\user_relationships_ui\user_relationships_ui.module).

Looks like a bug in the logic here in user_relationships_ui_check_access()

<?php
   
case 'delete':
     
// Do not allow access if this is a oneway relationship requested by another user.
     
if (is_object($relationship_type) && $relationship_type->is_oneway && $relationship_type->requester_id != $user->uid) {
        return
FALSE;
      }
?>

You could probably make the Notice go away by first checking for the existence of the requester_id property, but this raises 2 questions:

  1. Why is $relationship_type->requester_id not set?
  2. Why "Do not allow access if this is a oneway relationship requested by another user."?

Permissions say the receiver of request user should be able to "Delete x relationships" -- why is there logic here that explicitly prevents that?

Files: 
CommentFileSizeAuthor
#2 user_relationships-php_notice_and_oneway_logic-1898026-1.patch1.26 KBtmsimont
PASSED: [[SimpleTest]]: [MySQL] 1,047 pass(es).
[ View ]

Comments

Status:Active» Needs review

Removing troublesome block of code works, and retains the "delete @relationship relationships" permission setting, but still leaves the question: why was this logic there in the first place?

StatusFileSize
new1.26 KB
PASSED: [[SimpleTest]]: [MySQL] 1,047 pass(es).
[ View ]

attach fail

Status:Needs review» Closed (duplicate)

closing as duplicate of #1328170: Maintain, Delete and Request permissions problems -- there are bigger permissions problems that are all related