[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor

buddypress-trac noreply at wordpress.org
Mon Jun 15 13:15:16 UTC 2015


#6504: Messages viewable to any logged out visitor
-----------------------------------+--------------------
 Reporter:  CodeMonkeyBanana       |       Owner:
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  2.3.2
Component:  Component - Messaging  |     Version:
 Severity:  blocker                |  Resolution:
 Keywords:  has-patch              |
-----------------------------------+--------------------

Comment (by sbrajesh):

 There is a simple solution to the user id spoofing.
 Unless we add roles/caps in future who can see other's message, w can
 simply reset user_id in bp_has_message_threads after the parsing of the
 arguments. Except if super admin, It should always reset to
 get_current_user_id() for now.

 That will avoid any future leak there.

--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:12>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac


More information about the buddypress-trac mailing list