Prevent group creation by silenced users.

* adds Right::CREATEGROUP * logic in Profile::hasRight() checks for silencing * NewgroupAction checks for the permission before letting you see or process the form in the UI * User_group::register() logic does a low-level check on the specified initial group admin, and rejects creation if that user doesn't have the right; guaranteeing that API methods etc will also have this restriction applied sensibly.
2010-12-28 11:34:02 -08:00 · 2010-12-28 11:34:02 -08:00 · d3d9797496
parent 46123e3754
commit d3d9797496
4 changed files with 19 additions and 0 deletions
--- a/actions/newgroup.php
+++ b/actions/newgroup.php
@ -66,6 +66,13 @@ class NewgroupAction extends Action
            return false;
        }

+        $user = common_current_user();
+        $profile = $user->getProfile();
+        if (!$profile->hasRight(Right::CREATEGROUP)) {
+            // TRANS: Client exception thrown when a user tries to create a group while banned.
+            throw new ClientException(_('You are not allowed to create groups on this site.'), 403);
+        }
+
        return true;
    }

--- a/classes/Profile.php
+++ b/classes/Profile.php
@ -909,6 +909,7 @@ class Profile extends Memcached_DataObject
            case Right::NEWNOTICE:
            case Right::NEWMESSAGE:
            case Right::SUBSCRIBE:
+            case Right::CREATEGROUP:
                $result = !$this->isSilenced();
                break;
            case Right::PUBLICNOTICE:
--- a/classes/User_group.php
+++ b/classes/User_group.php
@ -465,6 +465,16 @@ class User_group extends Memcached_DataObject
    }

    static function register($fields) {
+        if (!empty($fields['userid'])) {
+            $profile = Profile::staticGet('id', $fields['userid']);
+            if ($profile && !$profile->hasRight(Right::CREATEGROUP)) {
+                common_log(LOG_WARNING, "Attempted group creation from banned user: " . $profile->nickname);
+
+                // TRANS: Client exception thrown when a user tries to create a group while banned.
+                throw new ClientException(_('You are not allowed to create groups on this site.'), 403);
+            }
+        }
+
        // MAGICALLY put fields into current scope

        extract($fields);
--- a/lib/right.php
+++ b/lib/right.php
@ -61,5 +61,6 @@ class Right
    const GRANTROLE          = 'grantrole';
    const REVOKEROLE         = 'revokerole';
    const DELETEGROUP        = 'deletegroup';
+    const CREATEGROUP        = 'creategroup';
 }