From 092273751bc17e6f0d0e16f7bccd0ebb73b93f5b Mon Sep 17 00:00:00 2001
From: Paul Holden <paulh@moodle.com>
Date: Fri, 21 Jul 2023 17:06:34 +0100
Subject: [PATCH] MDL-78792 message: access checks in processor fragment
 callback.

---
 message/lib.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/message/lib.php b/message/lib.php
index 31bd8796fb0..913332facec 100644
--- a/message/lib.php
+++ b/message/lib.php
@@ -696,6 +696,10 @@ function message_output_fragment_processor_settings($args = []) {
     $userid = $args['userid'];
 
     $user = core_user::get_user($userid, '*', MUST_EXIST);
+    if (!core_message_can_edit_message_profile($user)) {
+        throw new moodle_exception('Cannot edit message profile');
+    }
+
     $processor = get_message_processor($type);
     $providers = message_get_providers_for_user($userid);
     $processorwrapper = new stdClass();