Not a Bug Broken permission check conditions for new ads

[Painbaker]

XenForo Version String: XenForo 2.2.13

Addon Version String: CAS 2.2.29

Stack Trace:-


New ads has no default user_id value set for template variable

public function actionAdd(ParameterBag $params)
{
       ...

if ($this->isPost())
        {
            ...
        }
        else
        {
            $ad = $category->getNewAd();

            $ad->title = $draft->title ?: '';
            $ad->og_title = $draft->og_title ?: '';
            $ad->meta_title = $draft->meta_title ?: '';
            $ad->prefix_id = $draft->prefix_id ?: 0;
            $ad->description = $draft->description ?: '';
            $ad->meta_description = $draft->meta_description ?: '';
            $ad->message = $draft->message ?: '';
            $ad->external_purchase_url = $draft->external_purchase_url ?: '';
            $ad->accept_offers = $draft->accept_offers ?: 0;
            $ad->amount_available = $draft->amount_available ?: 0;
            $ad->amount_sold = $draft->amount_sold ?: 0;
          
            ...
          
            $viewParams = [
                'category' => $category,
                'ad' => $ad,
                'prefixes' => $category->getUsablePrefixes(),

                'attachmentData' => $attachmentData,
            ];
          
            return $this->view('XenAddons\CAS:Category\PostAd', 'xa_cas_category_post_ad', $viewParams);
        }
}

This causes some permission check conditions to not work properly:

public function canSetExternalPurchaseUrl(&$error = null)

    {
        ...

        return (

            $visitor->user_id == $this->user_id // <-- for new ads this value is always null

            && $this->hasPermission('editOwn')

            && $this->hasPermission('setExternalPurchaseUrlOwn')

        );

    }

 

[Bob]

That is not the issue. That permission check function in the AdItem Entity is designed specifically for checking when Editing an existing Ad and when Adding a new Item (which the User Entity is available and can be compared to the viewing user.). A similar function in the Category Entity is used when Creating a new Ad (it does not include the $visitor->user_id == $this->user_id conditionals as the viewing user IS the user.

There are 3 canSetExternalPurchaseUrl() functions, one in the Category Entity (which is used when Creating new Ads), one in the AdItem Entity (which is used when Editing existing Ads and Adding new Items) and one in the Item Entity (which is used when editing Items).

The issue was a couple macros that were calling the canSetExternalPurchaseUrl() function in the Ad entity, when they should be calling the canSetExternalPurchaseUrl() in the Category Entity. I've modified the xa_cas_ad_edit macros and xa_cas_item_edit_macros along with the xa_cas_category_post_ad, xa_cas_ad_add_item, xa_cas_ad_edit and xa_cas_item_edit templates.

If you want to discuss development with me, please do so privately and not through a client.

 

[Bob]

@Painbaker just gave your client an updated package of CAS 2.2.29 with the changes to the templates and macros. If you want a copy for yourself, hit me up in private