-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
3.2.9, 3.3.0
-
None
Various functions in \phpbb\notification\manager blindly call \phpbb\notification\type\type_interface functions without first checking that the given notification type is actually available.
For example, when \phpbb\notification\manager::add_notifications is called, it calls straight through to \phpbb\notification\type\type_interface::find_users_for_notification:
$notify_users = $this->get_item_type_class($notification_type_name)->find_users_for_notification($data, $options)
This means that if e.g. bookmarks are initially enabled, users add bookmarks, then bookmarks are disabled later, users will continue to receive bookmark notifications and will have no ability to control these notifications.
There is no written contract in the type_interface API that states the type needs to be aware of its own availability state and not return data if it is unavailable, so this implies that these checks should be happening in the notification manager. However, just checking type_interface::is_available is not sufficient since that function is designated to be used only for deciding whether or not a type is available to the current user, not whether or not a type is available at all.