[buddypress-trac] [BuddyPress Trac] #7615: Message thread "conversation" view can be accessed under another participant's URL
buddypress-trac
noreply at wordpress.org
Mon Oct 23 18:29:47 UTC 2017
#7615: Message thread "conversation" view can be accessed under another
participant's URL
--------------------------+-----------------------
Reporter: boonebgorges | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Messages | Version:
Severity: normal | Keywords: has-patch
--------------------------+-----------------------
Two users, `user1` and `user2`, both involved in a messages thread `456`.
Each should be able to view the thread at their respective URLs:
{{{
user1: /members/user1/messages/view/456
user2: /members/user2/messages/view/456
}}}
The screen loader function only checks to see whether the current user
should have access to the thread. It doesn't check to see whether they're
viewing it at the correct URL. So, user1 can view at user2's URL, and vice
versa. https://buddypress.trac.wordpress.org/browser/tags/2.9.1/src/bp-
messages/bp-messages-screens.php?marks=132#L107
Not really a security issue, since users (a) should have access to the
content itself, and (b) can't perform any other private actions, but
definitely confusing.
See attached patch for a suggested fix: `bp_core_no_access()` if `!
bp_is_my_profile()`.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7615>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list