Skip to content

Commit

Permalink
fixed: prevent notifying subscribers for outside an ACL
Browse files Browse the repository at this point in the history 
This mostly applies to admins
  • Loading branch information
@jeabakker
jeabakker committed Jul 19, 2018
1 parent 1cc03da commit 2a7ed33
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 0 deletions.
60 changes: 60 additions & 0 deletions classes/ColdTrick/AdvancedNotifications/Subscriptions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,4 +119,64 @@ protected static function isAllowedNotificationEvent($type, $subtype, $action)

return isset($settings[$type][$subtype]);
}

/**
* Validate that subscribers are member of an access collection.
*
* Not realy needed for 'normal' users but for admins this is required, as access isn't vaidated to them
*
* @param string $hook the name of the hook
* @param string $type the type of the hook
* @param array $return_value current return value
* @param array $params supplied params
*
* @return void|array
*/
public static function checkAccessCollectionMembership($hook, $type, $return_value, $params) {

if (empty($return_value)) {
// no subscribers to validate
return;
}

$event = elgg_extract('event', $params);
if (!$event instanceof NotificationEvent) {
return;
}

$object = $event->getObject();
$ignored_access_ids = [
ACCESS_PRIVATE,
ACCESS_FRIENDS,
ACCESS_LOGGED_IN,
ACCESS_PUBLIC,
];
if (!$object instanceof \ElggEntity || in_array($object->access_id, $ignored_access_ids)) {
return;
}

$acl = get_access_collection($object->access_id);
if ($acl === false) {
// not an ACL
return;
}

$acl_members = get_members_of_access_collection($object->access_id, true);
if (empty($acl_members)) {
// acl has no members, so remove everybody
return [];
}

$guids_to_remove = array_diff(array_keys($return_value), $acl_members);
if (empty($guids_to_remove)) {
// nothing to cleanup
return;
}

foreach ($guids_to_remove as $guid) {
unset($return_value[$guid]);
}

return $return_value;
}
}
1 change: 1 addition & 0 deletions start.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ function advanced_notifications_init() {
elgg_register_plugin_hook_handler('enqueue', 'notification', '\ColdTrick\AdvancedNotifications\Enqueue::delayPrivateContentNotification', 9001);

elgg_register_plugin_hook_handler('get', 'subscriptions', '\ColdTrick\AdvancedNotifications\Subscriptions::addOwnerSubscribers');
elgg_register_plugin_hook_handler('get', 'subscriptions', '\ColdTrick\AdvancedNotifications\Subscriptions::checkAccessCollectionMembership', 9000);

elgg_register_plugin_hook_handler('setting', 'plugin', '\ColdTrick\AdvancedNotifications\PluginSettings::setPluginSetting');

Expand Down

0 comments on commit 2a7ed33

Please sign in to comment.