[buddypress-trac] [BuddyPress Trac] #7048: Move permission checks in `bp_activity_screen_single_activity_permalink` into new function
buddypress-trac
noreply at wordpress.org
Wed Jan 10 17:37:19 UTC 2018
#7048: Move permission checks in `bp_activity_screen_single_activity_permalink`
into new function
--------------------------------------+-----------------------
Reporter: DJPaul | Owner:
Type: enhancement | Status: assigned
Priority: high | Milestone: 3.0
Component: Activity | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests |
--------------------------------------+-----------------------
Comment (by DJPaul):
In `bp_activity_screen_single_activity_permalink()`, the following needs
to be added to prevent a regression:
{{{
// If activity author does not match displayed user, block access.
if ( true === $has_access && bp_displayed_user_id() !==
$activity->user_id ) {
$has_access = false;
}
}}}
This prevents accessing someone else's (public) activity item at the wrong
URL.
e.g. http://bpcore.local/members/admin/activity/25/
activity 25 belongs to "admin"
http://bpcore.local/members/another_user/activity/25/
- with the patch, this works (incorrectly - duplicating content at
multiple URLs)
- without the patch, it redirects you to your profile and says you do not
have access (correct).
Locally I tested putting this back in just after the `$has_access =
apply_filters` line, and it fixed it.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7048#comment:28>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list