If you've worked with Elgg's permissions, particularly the container_permissions_check hook, we need your help!
Since Elgg 1.5, if a user creates an entity within a group, we not only fire this hook to test the group as a container (makes sense), but we also has fire it on the user creating it. So during this second hook, the handler receives $params['container'] as the user, even though the user isn't the real container.
This is a longstanding issue that I wish to solve in #8778. Please take a look!
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.