aboutsummaryrefslogtreecommitdiff
path: root/mod/notifications/actions
diff options
context:
space:
mode:
authorSteve Clay <steve@mrclay.org>2012-06-24 00:09:17 -0400
committerSteve Clay <steve@mrclay.org>2012-06-24 00:09:17 -0400
commit4a3c49240140449ef4c91c4b999a91b11380db3c (patch)
tree3d1e92342473e2fd90059d9abcfe88e79def9a25 /mod/notifications/actions
parentd71309056037adc869319566f9ec53313eb192d8 (diff)
downloadelgg-4a3c49240140449ef4c91c4b999a91b11380db3c.tar.gz
elgg-4a3c49240140449ef4c91c4b999a91b11380db3c.tar.bz2
Fixes #4138: Admin can edit any users' notifications
Diffstat (limited to 'mod/notifications/actions')
-rw-r--r--mod/notifications/actions/groupsave.php29
-rw-r--r--mod/notifications/actions/save.php11
2 files changed, 32 insertions, 8 deletions
diff --git a/mod/notifications/actions/groupsave.php b/mod/notifications/actions/groupsave.php
index c304cb856..7838f7e63 100644
--- a/mod/notifications/actions/groupsave.php
+++ b/mod/notifications/actions/groupsave.php
@@ -6,27 +6,42 @@
* @package ElggNotifications
*/
-// Load important global vars
-global $NOTIFICATION_HANDLERS;
+$current_user = elgg_get_logged_in_user_entity();
+
+$guid = (int) get_input('guid', 0);
+if (!$guid || !($user = get_entity($guid))) {
+ forward();
+}
+if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+ forward();
+}
// Get group memberships and condense them down to an array of guids
$groups = array();
-if ($groupmemberships = elgg_get_entities_from_relationship(array('relationship' => 'member', 'relationship_guid' => elgg_get_logged_in_user_guid(), 'types' => 'group', 'limit' => 9999))) {
+$options = array(
+ 'relationship' => 'member',
+ 'relationship_guid' => $user->guid,
+ 'types' => 'group',
+ 'limit' => 9999,
+);
+if ($groupmemberships = elgg_get_entities_from_relationship($options)) {
foreach($groupmemberships as $groupmembership) {
$groups[] = $groupmembership->guid;
}
-}
+}
+// Load important global vars
+global $NOTIFICATION_HANDLERS;
foreach($NOTIFICATION_HANDLERS as $method => $foo) {
$subscriptions[$method] = get_input($method.'subscriptions');
$personal[$method] = get_input($method.'personal');
$collections[$method] = get_input($method.'collections');
if (!empty($groups)) {
foreach($groups as $group) {
- if (in_array($group,$subscriptions[$method])) {
- add_entity_relationship(elgg_get_logged_in_user_guid(), 'notify'.$method, $group);
+ if (in_array($group, $subscriptions[$method])) {
+ add_entity_relationship($user->guid, 'notify'.$method, $group);
} else {
- remove_entity_relationship(elgg_get_logged_in_user_guid(), 'notify'.$method, $group);
+ remove_entity_relationship($user->guid, 'notify'.$method, $group);
}
}
}
diff --git a/mod/notifications/actions/save.php b/mod/notifications/actions/save.php
index 163b656aa..3fe0001a3 100644
--- a/mod/notifications/actions/save.php
+++ b/mod/notifications/actions/save.php
@@ -6,9 +6,18 @@
* @package ElggNotifications
*/
-$user = elgg_get_logged_in_user_entity();
+$current_user = elgg_get_logged_in_user_entity();
+
+$guid = (int) get_input('guid', 0);
+if (!$guid || !($user = get_entity($guid))) {
+ forward();
+}
+if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+ forward();
+}
global $NOTIFICATION_HANDLERS;
+$subscriptions = array();
foreach($NOTIFICATION_HANDLERS as $method => $foo) {
$subscriptions[$method] = get_input($method.'subscriptions');
$personal[$method] = get_input($method.'personal');