fix(groups): prevent misuse of group membership actions

Only allow actions to be executed for authorised requests.
Elgg · Nov 16, 2021 · d9fcad7 · d9fcad7
1 parent 621b28e
commit d9fcad7
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 6 deletions.
diff --git a/mod/groups/actions/groups/membership/delete_invite.php b/mod/groups/actions/groups/membership/delete_invite.php
@@ -13,8 +13,12 @@
 	return get_entity($group_guid);
 });
 
-if (!$user && !($group instanceof \ElggGroup)) {
-	return elgg_error_response();
+if (!$user && !$group instanceof \ElggGroup) {
+	return elgg_error_response(elgg_echo('error:missing_data'));
+}
+
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
 }
 
 // If join request made

diff --git a/mod/groups/actions/groups/membership/delete_request.php b/mod/groups/actions/groups/membership/delete_request.php
@@ -9,8 +9,12 @@
 $user = get_user($user_guid);
 $group = get_entity($group_guid);
 
-if (!$user && !($group instanceof \ElggGroup)) {
-	return elgg_error_response();
+if (!$user && !$group instanceof \ElggGroup) {
+	return elgg_error_response(elgg_echo('error:missing_data'));
+}
+
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
 }
 
 // If join request made

diff --git a/mod/groups/actions/groups/membership/join.php b/mod/groups/actions/groups/membership/join.php
@@ -18,10 +18,14 @@
 	return get_entity($group_guid);
 });
 
-if (!$user || !($group instanceof \ElggGroup)) {
+if (!$user || !$group instanceof \ElggGroup) {
 	return elgg_error_response(elgg_echo('groups:cantjoin'));
 }
 
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
+}
+
 // join or request
 $join = false;
 if ($group->isPublicMembership() || $group->canEdit($user->guid)) {

diff --git a/mod/groups/actions/groups/membership/leave.php b/mod/groups/actions/groups/membership/leave.php
@@ -9,10 +9,14 @@
 $user = get_user($user_guid);
 $group = get_entity($group_guid);
 
-if (!$user || !($group instanceof \ElggGroup)) {
+if (!$user || !$group instanceof \ElggGroup) {
 	return elgg_error_response(elgg_echo('groups:cantleave'));
 }
 
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
+}
+
 if ($group->getOwnerGUID() === $user->guid) {
 	// owner can't be removed
 	return elgg_error_response(elgg_echo('groups:cantleave'));