Issue #52: check permissions of account being edited before disabling…

… pm (#60)
backdrop-contrib · Dec 4, 2023 · 1dd9af4 · 1dd9af4
1 parent d651e59
commit 1dd9af4
Showing 1 changed file with 18 additions and 20 deletions.
diff --git a/privatemsg.module b/privatemsg.module
@@ -360,10 +360,11 @@ function privatemsg_menu_local_tasks_alter(&$data, $router_item, $root_path) {
  *
  * Never allows anonymous user access as that doesn't makes sense.
  *
- * @param $permission
+ * @param string $permission
  *   Permission string, defaults to read privatemsg
+ * @param User|null $account
  *
- * @return
+ * @return bool
  *   TRUE if user has access, FALSE if not
  *
  * @ingroup api
@@ -397,13 +398,13 @@ function privatemsg_user_access($permission = 'read privatemsg', $account = NULL
  * messages/view/% pages and not to leave tabs artifact on other lower
  * level pages such as the messages/new/%.
  *
- * @param $thread
+ * @param array $thread
  *   A array containing all information about a specific thread, generated by
  *   privatemsg_thread_load().
  *
  * @ingroup api
  *
- * @return boolean
+ * @return bool
  */
 function privatemsg_view_access($thread) {
   // Do not allow access to threads without messages.
@@ -420,8 +421,9 @@ function privatemsg_view_access($thread) {
 /**
  * Checks the status of private messaging for provided user.
  *
- * @param user object to check
- * @return TRUE if user has disabled private messaging, FALSE otherwise
+ * @param User $account
+ * @return bool
+ *  TRUE if user has disabled private messaging, FALSE otherwise
  */
 function privatemsg_is_disabled($account) {
   // Make sure account exists
@@ -448,20 +450,20 @@ function privatemsg_is_disabled($account) {
  * This function is called by the menu system through the %privatemsg_thread
  * wildcard.
  *
- * @param $thread_id
+ * @param int $thread_id
  *   Thread id, pmi.thread_id or pm.mid of the first message in that thread.
- * @param $account
+ * @param User $account
  *   User object for which the thread should be loaded, defaults to
  *   the current user.
- * @param $start
+ * @param string $start
  *   Message offset from the start of the thread.
- * @param $useAccessDenied
+ * @param bool $useAccessDenied
  *   Set to TRUE if the function should forward to the access denied page
  *   instead of not found. This is used by the menu system because that does
  *   load arguments before access checks are made. Defaults to FALSE.
  *
- * @return
- *   $thread object, with keys messages, participants, title and user. messages
+ * @return object
+ *   Thread object, with keys messages, participants, title and user. messages
  *   contains an array of messages, participants an array of user, subject the
  *   subject of the thread and user the user viewing the thread.
  *
@@ -1436,8 +1438,9 @@ function privatemsg_form_alter(&$form, &$form_state, $form_id) {
         '#type' => 'checkbox',
         '#title' => t('Enable private messages'),
         '#default_value' => !privatemsg_is_disabled($form['#user']),
-        '#description' => t('Disabling private messages prevents you from sending or receiving messages from other users.'),
+        '#description' => t('Disabling private messages prevents you from sending or receiving messages from other users. This option is disabled if this account is not allowed to disable private messages.'),
         '#weight' => -10,
+        '#disabled' => !user_access('allow disabling privatemsg', $form['#user']),
       );
     }
   }
@@ -1458,15 +1461,10 @@ function privatemsg_account_fieldset_remove_if_empty($element) {
  * {pm_disable} holds the list of users that have disabled private messaging
  */
 function privatemsg_user_update($account) {
-  if (isset($account->pm_enable) && (user_access('write privatemsg') || user_access('read privatemsg')) && user_access('allow disabling privatemsg')) {
-    // check whether user is listed in pm_disable datatable
+  if (isset($account->pm_enable) && (user_access('write privatemsg', $account) || user_access('read privatemsg', $account)) && user_access('allow disabling privatemsg', $account)) {
+    // Check whether user is listed in pm_disable table.
     $current = privatemsg_is_disabled($account);
-    // $account->pm_enable was TRUE so set $disabled to FALSE
     $disabled = (!$account->pm_enable);
-    // remove setting for $account->pm_enable
-    $account->pm_enable = NULL;
-    // set privatemsg_disabled to FALSE
-    $account->privatemsg_disabled = $disabled;
 
     // only perform the save if the value has changed
     if ($current != $disabled) {