From d3d9797496a3777d781627595565c5ea3a71f683 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Tue, 28 Dec 2010 11:34:02 -0800
Subject: [PATCH] Prevent group creation by silenced users.

* adds Right::CREATEGROUP
* logic in Profile::hasRight() checks for silencing
* NewgroupAction checks for the permission before letting you see or process the form in the UI
* User_group::register() logic does a low-level check on the specified initial group admin, and rejects creation if that user doesn't have the right; guaranteeing that API methods etc will also have this restriction applied sensibly.
---
 actions/newgroup.php   |  7 +++++++
 classes/Profile.php    |  1 +
 classes/User_group.php | 10 ++++++++++
 lib/right.php          |  1 +
 4 files changed, 19 insertions(+)

diff --git a/actions/newgroup.php b/actions/newgroup.php
index 05520223c0..04441e71c6 100644
--- a/actions/newgroup.php
+++ b/actions/newgroup.php
@@ -66,6 +66,13 @@ class NewgroupAction extends Action
             return false;
         }
 
+        $user = common_current_user();
+        $profile = $user->getProfile();
+        if (!$profile->hasRight(Right::CREATEGROUP)) {
+            // TRANS: Client exception thrown when a user tries to create a group while banned.
+            throw new ClientException(_('You are not allowed to create groups on this site.'), 403);
+        }
+
         return true;
     }
 
diff --git a/classes/Profile.php b/classes/Profile.php
index 2e88f17ad3..00e076a624 100644
--- a/classes/Profile.php
+++ b/classes/Profile.php
@@ -909,6 +909,7 @@ class Profile extends Memcached_DataObject
             case Right::NEWNOTICE:
             case Right::NEWMESSAGE:
             case Right::SUBSCRIBE:
+            case Right::CREATEGROUP:
                 $result = !$this->isSilenced();
                 break;
             case Right::PUBLICNOTICE:
diff --git a/classes/User_group.php b/classes/User_group.php
index 7d6e219148..f223164d04 100644
--- a/classes/User_group.php
+++ b/classes/User_group.php
@@ -465,6 +465,16 @@ class User_group extends Memcached_DataObject
     }
 
     static function register($fields) {
+        if (!empty($fields['userid'])) {
+            $profile = Profile::staticGet('id', $fields['userid']);
+            if ($profile && !$profile->hasRight(Right::CREATEGROUP)) {
+                common_log(LOG_WARNING, "Attempted group creation from banned user: " . $profile->nickname);
+
+                // TRANS: Client exception thrown when a user tries to create a group while banned.
+                throw new ClientException(_('You are not allowed to create groups on this site.'), 403);
+            }
+        }
+
         // MAGICALLY put fields into current scope
 
         extract($fields);
diff --git a/lib/right.php b/lib/right.php
index bacbea5f29..ccabd00c92 100644
--- a/lib/right.php
+++ b/lib/right.php
@@ -61,5 +61,6 @@ class Right
     const GRANTROLE          = 'grantrole';
     const REVOKEROLE         = 'revokerole';
     const DELETEGROUP        = 'deletegroup';
+    const CREATEGROUP        = 'creategroup';
 }