• REGISTRATION REQUIREMENTS:

    Your username here MUST MATCH your XenForo username (connected to your XF license).

    Once you have registered here, then you need to start a conversation at xenforo.com w/Bob and provide the following:
    1. Your XenForo License Validation Token
    2. The Domain Name associated with the License
    NOTE: Your account will be validated once ALL requirements are verified/met. Thank you for your patience.

Not a Bug Broken permission check conditions for new ads

Status
Not open for further replies.

Painbaker

New Member
AMS Premium
CAS Premium
IMS Premium
LD Premium
RMS Premium
SC Premium
UBS Premium
Pick'em
Sportsbook
XenForo Version String: XenForo 2.2.13

Addon Version String: CAS 2.2.29

Stack Trace:-


New ads has no default user_id value set for template variable


PHP:
public function actionAdd(ParameterBag $params)
{
       ...

if ($this->isPost())
        {
            ...
        }
        else
        {
            $ad = $category->getNewAd();

            $ad->title = $draft->title ?: '';
            $ad->og_title = $draft->og_title ?: '';
            $ad->meta_title = $draft->meta_title ?: '';
            $ad->prefix_id = $draft->prefix_id ?: 0;
            $ad->description = $draft->description ?: '';
            $ad->meta_description = $draft->meta_description ?: '';
            $ad->message = $draft->message ?: '';
            $ad->external_purchase_url = $draft->external_purchase_url ?: '';
            $ad->accept_offers = $draft->accept_offers ?: 0;
            $ad->amount_available = $draft->amount_available ?: 0;
            $ad->amount_sold = $draft->amount_sold ?: 0;
          
            ...
          
            $viewParams = [
                'category' => $category,
                'ad' => $ad,
                'prefixes' => $category->getUsablePrefixes(),

                'attachmentData' => $attachmentData,
            ];
          
            return $this->view('XenAddons\CAS:Category\PostAd', 'xa_cas_category_post_ad', $viewParams);
        }
}

This causes some permission check conditions to not work properly:

PHP:
public function canSetExternalPurchaseUrl(&$error = null)

    {
        ...

        return (

            $visitor->user_id == $this->user_id // <-- for new ads this value is always null

            && $this->hasPermission('editOwn')

            && $this->hasPermission('setExternalPurchaseUrlOwn')

        );

    }
 
Last edited:
That is not the issue. That permission check function in the AdItem Entity is designed specifically for checking when Editing an existing Ad and when Adding a new Item (which the User Entity is available and can be compared to the viewing user.). A similar function in the Category Entity is used when Creating a new Ad (it does not include the $visitor->user_id == $this->user_id conditionals as the viewing user IS the user.

There are 3 canSetExternalPurchaseUrl() functions, one in the Category Entity (which is used when Creating new Ads), one in the AdItem Entity (which is used when Editing existing Ads and Adding new Items) and one in the Item Entity (which is used when editing Items).

The issue was a couple macros that were calling the canSetExternalPurchaseUrl() function in the Ad entity, when they should be calling the canSetExternalPurchaseUrl() in the Category Entity. I've modified the xa_cas_ad_edit macros and xa_cas_item_edit_macros along with the xa_cas_category_post_ad, xa_cas_ad_add_item, xa_cas_ad_edit and xa_cas_item_edit templates.

If you want to discuss development with me, please do so privately and not through a client.
 
@Painbaker just gave your client an updated package of CAS 2.2.29 with the changes to the templates and macros. If you want a copy for yourself, hit me up in private :)
 
Status
Not open for further replies.
Back
Top