Mahara

reply to messages from deleted users lead to "access denied" page

Bug #503598 reported by Crimson on 2010-01-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Low	Hugh Davenport	Mahara 1.5.0

Bug Description

Username: crimson

I received this email from a spam message:

You have been sent a notification from Mahara ePortfolio System. Message
follows:
------------------------------------------------------------------------

Subject: New message from nancy wilson

nancy wilson has sent you a message. To view this message, visit

http://mahara.org/user/sendmessage.php?id=6530&replyto=879010

...

The issue is that link doesn't work - it gives me access denied:

"Access Denied
You do not have access to view this page

You cannot send this user a message"

Also, navigating to http://mahara.org/account/activity/ then clicking on "New message from nancy wilson" then "More...' (same link as above) gives the same issue.

Tags:

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2010-01-13:

The link doesn't work because the user was deleted and you can't send a reply to a deleted user. I guess the solution is to provide a page for reading messages that's independent of the reply page.

François Marier (fmarier) on 2010-07-14

Changed in mahara:
status:	New → Confirmed
importance:	Undecided → Low

François Marier (fmarier) on 2010-07-14

summary:

- mahara.org messages link in email and More... link on summary give me
- access denied
+ reply to messages from deleted users lead to "access denied" page

Sean Brennan (the-ioniser) on 2010-11-11

Changed in mahara:
assignee:	nobody → Sean Brennan (the-ioniser)

Revision history for this message

Sean Brennan (the-ioniser) wrote on 2011-02-02:

I think that if a user deletes their account they probably don't want any messages regardless.
If an admin has deleted their account, there could be many reasons. but I still don't think the user deserves to receive messages through mahara.

I think a simple rewording of the error message to justify this would be sufficient.
Opinions?

Revision history for this message

Crimson (ben-crimson) wrote on 2011-02-02:

Agreed. The important thing from my perspective is to know what has happened to the message. Without an explanation it looks like a permissions issue, which isn't the case.

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2011-02-02:

Agreed as well. I think a special error message like below would be good:

You cannot access this message because the user was either suspended or the user account does not exist anymore.

Revision history for this message

Sean Brennan (the-ioniser) wrote on 2011-02-02: Re: [Mahara-contributors] [Bug 503598] Re: reply to messages from deleted users lead to "access denied" page

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suspended users can still receive messages.
so the message will simply be.

You cannot access this message because the user account does not exist
anymore.

On 02/02/11 19:01, Kristina Hoeppner wrote:
> Agreed as well. I think a special error message like below would be
> good:
>
> You cannot access this message because the user was either suspended or
> the user account does not exist anymore.
>

- --
Regards,
Sean Brennan

<email address hidden>
Cell:0274729712
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNScLYAAoJEBacL8dH3zIGjJEP/RUfby+ciGUXkxATYpBSkJRa
87/6yIP36j5JBrTB3uJB4w2GkgargJ0seWvwgWjh7a5bL02tpHkIfiSrmlJKFNbS
WRpxsNXCv9zR+nLN25dcEfATHo2WmnK2s2FBZord8Q1DYpryj10BBAc+lPMwCtsJ
utaQEZboBKI5moadKpqLXl6rK7pLSSibKN+UHnXa1p4x9yV5lQMAxWZmOfOuGXwh
DEkyjXwBG247AgUzvh2C94l0d1cu1qS2jAlUt1M6mqK4PBddILi3LBVKoHj3rgEP
ue96C0dqI5c7u8P9TJwaoeDUdm61E/j9c1ScRkBGkt92WdoI5ajTgRsxN037E16K
THjf2OSUWew+S4WzeEk5h5TqoyeOUI820Jxsv3l0ayNIfgfD7Bbb3aRFfHubksLK
XtmGurhDYff4ecP7v4+uiZj9zbGsVWEYiaEupXDSsEEAN+FLkki/q92SL3oHGMNY
xM0ZPa5GVs8Kxd9jeb9G6XZJuys3Ih10WBVJOx0FJGZrTEUAEP4c63Zd6VzcftNh
ODCmvrk/DwGFqV5oTTk2wi6pcPvEizZdE3igcy06cAoGIIXWMQHERjdrtm6FQPfP
3R1SCpwFciAB9d6iq69SjRnWJDBhU+J+KRCXdH3LEGJvHCf7aGdLKg5j1RmpAfBW
YiFMAvXRHddtDG41mog/
=Fbl3
-----END PGP SIGNATURE-----

Revision history for this message

Sean Brennan (the-ioniser) wrote on 2011-02-02:

fix committed on
http://www.gitorious.org/~ioniser/mahara/ionisers-mahara/commits/lp503598-deleted-users-to-access-denied

sorry about the spam email before. Ill strip out all the mess next time.

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-02-15:

Sean,

That patch isn't quite right. If you look at where the string 'cantmessageuser' is used, you'll see that the same string gets displayed when you can't send a message to a user for any reason.

The user might still exist, but may have set their message preference on the settings page to turn all messages off or to only allow messages from friends.

Revision history for this message

Sean Brennan (the-ioniser) wrote on 2011-02-15:

revised commit
http://www.gitorious.org/~ioniser/mahara/ionisers-mahara/commits/lp503598-deleted-users-to-access-denied_revised

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-02-15:

Sean, much better!

You should throw a UserNotFoundException rather than access denied in the case where the user doesn't exist, and just say the user was not found, or maybe the user doesn't exist, rather than doesn't exist *anymore*, because we don't really know whether they ever existed. Though if you really wanted to make that distinction, you could check the deleted column.

Also in the other case, you've added "they have requested to not recieve emails", but I don't think we shouldn't say 'email' there because we also don't know whether their notification preference is email or internal, you just can't send them a message at all.

Revision history for this message

Sean Brennan (the-ioniser) wrote on 2011-02-22:

#10

0001-lang-lib-user-user-sendmessage-reply-to-leads-to-acc.patch Edit (3.9 KiB, text/plain)

I have revised this patch as to the suggestions.

Revision history for this message

Hugh Davenport (hugh-davenport) wrote on 2011-11-16:

#11

https://reviews.mahara.org/866

Changed in mahara:
assignee:	Sean Brennan (the-ioniser) → Hugh Davenport (hugh-catalyst)

François Marier (fmarier) on 2011-11-21

Changed in mahara:
milestone:	none → 1.5.0
status:	Confirmed → In Progress

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2011-12-22: A change has been merged

#13

Reviewed: https://reviews.mahara.org/866
Committed: http://gitorious.org/mahara/mahara/commit/1481257e1a3fa181033a92f98f0ea942c074c640
Submitter: Richard Mansfield (<email address hidden>)
Branch: master

commit 1481257e1a3fa181033a92f98f0ea942c074c640
Author: Hugh Davenport <email address hidden>
Date: Wed Nov 16 15:46:34 2011 +1300

Show an error when user tries to send a message to a deleted user

Bug #503598

Change-Id: Ic003295a1c13b96fbda30af13305b565faf2fb16
Signed-off-by: Hugh Davenport <email address hidden>

Richard Mansfield (richard-mansfield) on 2011-12-22

Changed in mahara:
status:	In Progress → Fix Committed

Melissa Draper (melissa) on 2012-04-17

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

0001-lang-lib-user-user-sendmessage-reply-to-leads-to-acc.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.