oh, one more thing I found is this bugreport, or ticket:
http://trac.elgg.org/ticket/721
the last change: (so it's not closed? still a bug, or what?)
Wrap your code where you try to save an object in another user's name into
$ignore = elgg_set_ignore_access(true);
(your code comes here)
elgg_set_ignore_access($ignore);
This will override the default protection that would not let you edit objects owned by other users.
Andras has the right idea. You MUST make sure you bring the elgg_set_ignore_access back to false afterwards otherwise your site becomes somewhat "unprotected".
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.