Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16340

Notification manager does not check if a notification type is available before creating or updating notifications

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.2.9, 3.3.0
    • Fix Version/s: None
    • Component/s: Notification System
    • Labels:
      None

      Description

      Various functions in \phpbb\notification\manager blindly call \phpbb\notification\type\type_interface functions without first checking that the given notification type is actually available.

      For example, when \phpbb\notification\manager::add_notifications is called, it calls straight through to \phpbb\notification\type\type_interface::find_users_for_notification:

      $notify_users = $this->get_item_type_class($notification_type_name)->find_users_for_notification($data, $options)

      This means that if e.g. bookmarks are initially enabled, users add bookmarks, then bookmarks are disabled later, users will continue to receive bookmark notifications and will have no ability to control these notifications.

      There is no written contract in the type_interface API that states the type needs to be aware of its own availability state and not return data if it is unavailable, so this implies that these checks should be happening in the notification manager. However, just checking type_interface::is_available is not sufficient since that function is designated to be used only for deciding whether or not a type is available to the current user, not whether or not a type is available at all.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Snover Snover [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: