Fixes #4138: Admin can edit any users' notifications

author: Steve Clay <steve@mrclay.org> 2012-06-24 00:09:17 -0400
committer: Steve Clay <steve@mrclay.org> 2012-06-24 00:09:17 -0400
commit: 4a3c49240140449ef4c91c4b999a91b11380db3c (patch)
tree: 3d1e92342473e2fd90059d9abcfe88e79def9a25
parent: d71309056037adc869319566f9ec53313eb192d8 (diff)
download: elgg-4a3c49240140449ef4c91c4b999a91b11380db3c.tar.gz
elgg-4a3c49240140449ef4c91c4b999a91b11380db3c.tar.bz2
11 files changed, 134 insertions, 45 deletions
diff --git a/mod/notifications/actions/groupsave.php b/mod/notifications/actions/groupsave.php
index c304cb856..7838f7e63 100644
--- a/mod/notifications/actions/groupsave.php
+++ b/mod/notifications/actions/groupsave.php
@@ -6,27 +6,42 @@
  * @package ElggNotifications
  */
 
-// Load important global vars
-global $NOTIFICATION_HANDLERS;
+$current_user = elgg_get_logged_in_user_entity();
+
+$guid = (int) get_input('guid', 0);
+if (!$guid || !($user = get_entity($guid))) {
+	forward();
+}
+if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+	forward();
+}
 
 // Get group memberships and condense them down to an array of guids
 $groups = array();
-if ($groupmemberships = elgg_get_entities_from_relationship(array('relationship' => 'member', 'relationship_guid' => elgg_get_logged_in_user_guid(), 'types' => 'group', 'limit' => 9999))) {
+$options = array(
+	'relationship' => 'member',
+	'relationship_guid' => $user->guid,
+	'types' => 'group',
+	'limit' => 9999,
+);
+if ($groupmemberships = elgg_get_entities_from_relationship($options)) {
 	foreach($groupmemberships as $groupmembership) {
 		$groups[] = $groupmembership->guid;
 	}
-}		
+}
 
+// Load important global vars
+global $NOTIFICATION_HANDLERS;
 foreach($NOTIFICATION_HANDLERS as $method => $foo) {
 	$subscriptions[$method] = get_input($method.'subscriptions');
 	$personal[$method] = get_input($method.'personal');
 	$collections[$method] = get_input($method.'collections');
 	if (!empty($groups)) {
 		foreach($groups as $group) {
-			if (in_array($group,$subscriptions[$method])) {
-				add_entity_relationship(elgg_get_logged_in_user_guid(), 'notify'.$method, $group);
+			if (in_array($group, $subscriptions[$method])) {
+				add_entity_relationship($user->guid, 'notify'.$method, $group);
 			} else {
-				remove_entity_relationship(elgg_get_logged_in_user_guid(), 'notify'.$method, $group);
+				remove_entity_relationship($user->guid, 'notify'.$method, $group);
 			}
 		}
 	}
diff --git a/mod/notifications/actions/save.php b/mod/notifications/actions/save.php
index 163b656aa..3fe0001a3 100644
--- a/mod/notifications/actions/save.php
+++ b/mod/notifications/actions/save.php
@@ -6,9 +6,18 @@
  * @package ElggNotifications
  */
 
-$user = elgg_get_logged_in_user_entity();
+$current_user = elgg_get_logged_in_user_entity();
+
+$guid = (int) get_input('guid', 0);
+if (!$guid || !($user = get_entity($guid))) {
+	forward();
+}
+if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+	forward();
+}
 
 global $NOTIFICATION_HANDLERS;
+$subscriptions = array();
 foreach($NOTIFICATION_HANDLERS as $method => $foo) {
 	$subscriptions[$method] = get_input($method.'subscriptions');
 	$personal[$method] = get_input($method.'personal');
diff --git a/mod/notifications/groups.php b/mod/notifications/groups.php
index 45fb94e83..3e81e474a 100644
--- a/mod/notifications/groups.php
+++ b/mod/notifications/groups.php
@@ -3,16 +3,16 @@
  * Elgg notifications plugin group index
  *
  * @package ElggNotifications
+ *
+ * @uses $user ElggUser
  */
 
-// Load Elgg framework
-require_once(dirname(dirname(dirname(__FILE__))) . '/engine/start.php');
-
-// Ensure only logged-in users can see this page
-gatekeeper();
+if (!isset($user) || !($user instanceof ElggUser)) {
+	$url = 'notifications/group/' . elgg_get_logged_in_user_entity()->username;
+	forward($url);
+}
 
-elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
-$user = elgg_get_page_owner_entity();
+elgg_set_page_owner_guid($user);
 
 // Set the context to settings
 elgg_set_context('settings');
@@ -27,12 +27,15 @@ $people = array();
 
 $groupmemberships = elgg_get_entities_from_relationship(array(
 	'relationship' => 'member',
-	'relationship_guid' => elgg_get_logged_in_user_guid(),
+	'relationship_guid' => $user->guid,
 	'types' => 'group',
 	'limit' => 9999,
 ));
 
-$body = elgg_view_form('notificationsettings/groupsave', array(), array('groups' => $groupmemberships));
+$body = elgg_view_form('notificationsettings/groupsave', array(), array(
+	'groups' => $groupmemberships,
+	'user' => $user,
+));
 
 $params = array(
 	'content' => $body,
diff --git a/mod/notifications/index.php b/mod/notifications/index.php
index 882389fde..f4143f57b 100644
--- a/mod/notifications/index.php
+++ b/mod/notifications/index.php
@@ -3,16 +3,16 @@
  * Elgg notifications plugin index
  *
  * @package ElggNotifications
+ *
+ * @uses $user ElggUser
  */
 
-// Load Elgg framework
-require_once(dirname(dirname(dirname(__FILE__))) . '/engine/start.php');
-
-// Ensure only logged-in users can see this page
-gatekeeper();
+if (!isset($user) || !($user instanceof ElggUser)) {
+	$url = 'notifications/personal/' . elgg_get_logged_in_user_entity()->username;
+	forward($url);
+}
 
-elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
-$user = elgg_get_page_owner_entity();
+elgg_set_page_owner_guid($user);
 
 // Set the context to settings
 elgg_set_context('settings');
@@ -26,7 +26,7 @@ elgg_push_breadcrumb($title);
 $people = array();
 if ($people_ents = elgg_get_entities_from_relationship(array(
 		'relationship' => 'notify',
-		'relationship_guid' => elgg_get_logged_in_user_guid(),
+		'relationship_guid' => $user->guid,
 		'types' => 'user',
 		'limit' => 99999,
 	))) {
@@ -36,7 +36,10 @@ if ($people_ents = elgg_get_entities_from_relationship(array(
 	}
 }
 
-$body = elgg_view('notifications/subscriptions/form', array('people' => $people));
+$body = elgg_view('notifications/subscriptions/form', array(
+	'people' => $people,
+	'user' => $user,
+));
 
 $params = array(
 	'content' => $body,
diff --git a/mod/notifications/start.php b/mod/notifications/start.php
index 761f17e40..d5d418f0f 100644
--- a/mod/notifications/start.php
+++ b/mod/notifications/start.php
@@ -40,13 +40,25 @@ function notifications_plugin_init() {
  */
 function notifications_page_handler($page) {
 
+	gatekeeper();
+	$current_user = elgg_get_logged_in_user_entity();
+
 	// default to personal notifications
 	if (!isset($page[0])) {
 		$page[0] = 'personal';
 	}
+	if (!isset($page[1])) {
+		forward("notifications/{$page[0]}/{$current_user->username}");
+	}
+
+	$user = get_user_by_username($page[1]);
+	if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+		forward();
+	}
 
 	$base = elgg_get_plugins_path() . 'notifications';
 
+	// note: $user passed in
 	switch ($page[0]) {
 		case 'group':
 			require "$base/groups.php";
@@ -66,12 +78,16 @@ function notifications_page_handler($page) {
  */
 function notifications_plugin_pagesetup() {
 	if (elgg_get_context() == "settings" && elgg_get_logged_in_user_guid()) {
-		$user = elgg_get_logged_in_user_entity();
+
+		$user = elgg_get_page_owner_entity();
+		if (!$user) {
+			$user = elgg_get_logged_in_user_entity();
+		}
 
 		$params = array(
 			'name' => '2_a_user_notify',
 			'text' => elgg_echo('notifications:subscriptions:changesettings'),
-			'href' => "notifications/personal",
+			'href' => "notifications/personal/{$user->username}",
 		);
 		elgg_register_menu_item('page', $params);
 		
@@ -79,7 +95,7 @@ function notifications_plugin_pagesetup() {
 			$params = array(
 				'name' => '2_group_notify',
 				'text' => elgg_echo('notifications:subscriptions:changesettings:groups'),
-				'href' => "notifications/group",
+				'href' => "notifications/group/{$user->username}",
 			);
 			elgg_register_menu_item('page', $params);
 		}
diff --git a/mod/notifications/views/default/forms/notificationsettings/groupsave.php b/mod/notifications/views/default/forms/notificationsettings/groupsave.php
index 61b94ff8b..168639ab2 100644
--- a/mod/notifications/views/default/forms/notificationsettings/groupsave.php
+++ b/mod/notifications/views/default/forms/notificationsettings/groupsave.php
@@ -3,13 +3,18 @@
  * Elgg notifications groups subscription form
  *
  * @package ElggNotifications
+ *
+ * @uses $vars['user'] ElggUser
  */
 
+/* @var ElggUser $user */
+$user = $vars['user'];
+
 global $NOTIFICATION_HANDLERS;
 foreach ($NOTIFICATION_HANDLERS as $method => $foo) {
 	$subsbig[$method] = elgg_get_entities_from_relationship(array(
 		'relationship' => 'notify' . $method,
-		'relationship_guid' => elgg_get_logged_in_user_guid(),
+		'relationship_guid' => $user->guid,
 		'types' => 'group',
 		'limit' => 99999,
 	));
@@ -97,6 +102,7 @@ END;
 <?php
 }
 	echo '<div class="elgg-foot mtm">';
+	echo elgg_view('input/hidden', array('name' => 'guid', 'value' => $user->guid));
 	echo elgg_view('input/submit', array('value' => elgg_echo('save')));
 	echo '</div>';
 	
diff --git a/mod/notifications/views/default/forms/notificationsettings/save.php b/mod/notifications/views/default/forms/notificationsettings/save.php
index ff32d8558..9470256ca 100644
--- a/mod/notifications/views/default/forms/notificationsettings/save.php
+++ b/mod/notifications/views/default/forms/notificationsettings/save.php
@@ -1,13 +1,21 @@
 <?php
 /**
  * Personal notifications form body
+ *
+ * @uses $vars['user'] ElggUser
  */
 
-echo elgg_view('notifications/subscriptions/personal');
-echo elgg_view('notifications/subscriptions/collections');
-echo elgg_view('notifications/subscriptions/forminternals');
+/* @var ElggUser $user */
+$user = $vars['user'];
+
+echo elgg_view('notifications/subscriptions/personal', $vars);
+echo elgg_view('notifications/subscriptions/collections', $vars);
+echo elgg_view('notifications/subscriptions/forminternals', $vars);
 
 ?>
 <div class="elgg-foot">
-<?php echo elgg_view('input/submit', array('value' => elgg_echo('save'))); ?>
+<?php
+echo elgg_view('input/hidden', array('name' => 'guid', 'value' => $user->guid));
+echo elgg_view('input/submit', array('value' => elgg_echo('save')));
+?>
 </div>
diff --git a/mod/notifications/views/default/notifications/subscriptions/collections.php b/mod/notifications/views/default/notifications/subscriptions/collections.php
index 28d9fb5b8..b8787570d 100644
--- a/mod/notifications/views/default/notifications/subscriptions/collections.php
+++ b/mod/notifications/views/default/notifications/subscriptions/collections.php
@@ -1,4 +1,12 @@
-<?php //@todo JS 1.8: no ?>
+<?php
+/**
+ * @uses $vars['user'] ElggUser
+ */
+
+/* @var ElggUser $user */
+$user = $vars['user'];
+
+//@todo JS 1.8: no ?>
 <script type="text/javascript">
 	
 	function setCollection(members, method, id) {
@@ -42,7 +50,7 @@
 	</tr>
 <?php
 	$members = array();
-	if ($friends = get_user_friends(elgg_get_logged_in_user_guid(), '', 9999, 0)) {
+	if ($friends = get_user_friends($user->guid, '', 9999, 0)) {
 		foreach($friends as $friend) {
 			$members[] = $friend->guid;
 		}
@@ -63,7 +71,7 @@
 	$i = 0;
 	foreach($NOTIFICATION_HANDLERS as $method => $foo) {
 		$metaname = 'collections_notifications_preferences_' . $method;
-		if ($collections_preferences = elgg_get_logged_in_user_entity()->$metaname) {
+		if ($collections_preferences = $user->$metaname) {
 			if (!empty($collections_preferences) && !is_array($collections_preferences)) {
 				$collections_preferences = array($collections_preferences);
 			}
diff --git a/mod/notifications/views/default/notifications/subscriptions/form.php b/mod/notifications/views/default/notifications/subscriptions/form.php
index f2f6238f9..8ae27f829 100644
--- a/mod/notifications/views/default/notifications/subscriptions/form.php
+++ b/mod/notifications/views/default/notifications/subscriptions/form.php
@@ -1,11 +1,16 @@
 <?php
 /**
  * Elgg personal notifications
+ *
+ * @uses $vars['user'] ElggUser
  */
 
 	
-echo elgg_view('subscriptions/form/additions',$vars);
+echo elgg_view('subscriptions/form/additions', $vars);
 	
 // Display a description
 
-echo elgg_view_form('notificationsettings/save', array('class' => 'elgg-form-alt'));
+echo elgg_view_form('notificationsettings/save', array(
+	'class' => 'elgg-form-alt',
+	'user' => $vars['user']
+));
diff --git a/mod/notifications/views/default/notifications/subscriptions/forminternals.php b/mod/notifications/views/default/notifications/subscriptions/forminternals.php
index e89ce02be..11f266303 100644
--- a/mod/notifications/views/default/notifications/subscriptions/forminternals.php
+++ b/mod/notifications/views/default/notifications/subscriptions/forminternals.php
@@ -1,8 +1,13 @@
 <?php
 /**
  * Hacked up friends picker that needs to be replaced
+ *
+ * @uses $vars['user'] ElggUser
  */
 
+/* @var ElggUser $user */
+$user = $vars['user'];
+
 elgg_load_js('elgg.friendspicker');
 elgg_load_js('jquery.easing');
 
@@ -19,11 +24,16 @@ elgg_load_js('jquery.easing');
 <?php
 
 // Get friends and subscriptions
-$friends = get_user_friends(elgg_get_logged_in_user_guid(),'',9999,0);
+$friends = get_user_friends($user->guid, '', 9999, 0);
 		
 global $NOTIFICATION_HANDLERS;
 foreach($NOTIFICATION_HANDLERS as $method => $foo) {
-	$subsbig[$method] = elgg_get_entities_from_relationship(array('relationship' => 'notify' . $method, 'relationship_guid' => elgg_get_logged_in_user_guid(), 'types' => 'user', 'limit' => 99999));
+	$subsbig[$method] = elgg_get_entities_from_relationship(array(
+		'relationship' => 'notify' . $method,
+		'relationship_guid' => $user->guid,
+		'types' => 'user',
+		'limit' => 99999,
+	));
 }
 		
 $subs = array();
@@ -88,9 +98,9 @@ if (isset($vars['formtarget'])) {
 		
 // Sort users by letter
 if (is_array($friends) && sizeof($friends)) {
-	foreach($friends as $user) {
+	foreach($friends as $friend) {
 				
-		$letter = elgg_substr($user->name,0,1);
+		$letter = elgg_substr($friend->name,0,1);
 		$letter = elgg_strtoupper($letter);
 		if (!elgg_substr_count($chararray,$letter)) {
 			$letter = "*";
@@ -98,7 +108,7 @@ if (is_array($friends) && sizeof($friends)) {
 		if (!isset($users[$letter])) {
 			$users[$letter] = array();
 		}
-		$users[$letter][$user->guid] = $user;
+		$users[$letter][$friend->guid] = $friend;
 	}
 }
 
diff --git a/mod/notifications/views/default/notifications/subscriptions/personal.php b/mod/notifications/views/default/notifications/subscriptions/personal.php
index 7dac908fc..cf05426e2 100644
--- a/mod/notifications/views/default/notifications/subscriptions/personal.php
+++ b/mod/notifications/views/default/notifications/subscriptions/personal.php
@@ -1,4 +1,10 @@
 <?php
+/**
+ * @uses $vars['user'] ElggUser
+ */
+
+/* @var ElggUser $user */
+$user = $vars['user'];
 
 global $NOTIFICATION_HANDLERS;
 
@@ -40,7 +46,7 @@ foreach($NOTIFICATION_HANDLERS as $method => $foo) {
 $fields = '';
 $i = 0;
 foreach($NOTIFICATION_HANDLERS as $method => $foo) {
-	if ($notification_settings = get_user_notification_settings(elgg_get_logged_in_user_guid())) {
+	if ($notification_settings = get_user_notification_settings($user->guid)) {
 		if ($notification_settings->$method) {
 			$personalchecked[$method] = 'checked="checked"';
 		} else {
author	Steve Clay <steve@mrclay.org>	2012-06-24 00:09:17 -0400
committer	Steve Clay <steve@mrclay.org>	2012-06-24 00:09:17 -0400
commit	4a3c49240140449ef4c91c4b999a91b11380db3c (patch)
tree	3d1e92342473e2fd90059d9abcfe88e79def9a25
parent	d71309056037adc869319566f9ec53313eb192d8 (diff)
download	elgg-4a3c49240140449ef4c91c4b999a91b11380db3c.tar.gz elgg-4a3c49240140449ef4c91c4b999a91b11380db3c.tar.bz2