[buddypress-trac] [BuddyPress] #3861: BuddyPress Group admin functions consistently produce 403 Forbidden page errors.

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Fri Dec 16 17:15:05 UTC 2011 

#3861: BuddyPress Group admin functions consistently produce 403 Forbidden page
errors.
--------------------------+-----------------------------
 Reporter:  gbellucci     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Groups        |    Version:  1.5.2
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 BuddyPress offers administrative functions for managing BuddyPress Groups.
 For example, changing the Group avatar, deleting a group, changing the
 group name, etc. Changes are implemented by submitting a form from the
 Group's admin page located on the front-end. For example, after changing
 the group name you press the "Save Changes" button.

 The form contains a hidden fields for the nonce value, referrer url and
 the action url is typically:

          /<groups-slug>/<group-slug>/admin/edit-details/
 where:
         '''<groups-slug>''' is the slug for groups
         '''<group-slug>''' is the slug for the group.

 During the submit processing, the nonce value is verified and the referrer
 url is validated. These two items are processed by the WordPress function:
 '''check_admin_referer()'''

 The '''check_admin_referer()''' function is designed to call
 '''wp_verify_nonce''' [''to verify the nonce value''] and attempts to
 locate the string position of the admin url within the referring url
 string.

 The admin url is returned by the function '''admin_url()''' and is
 typically the site url with 'wp-admin' appended.  (i.e.
 http://www.example.com/wp-admin/).

 '''check_admin_referer()''' always fails because the referring url will
 never contain the url returned by the '''admin_url()''' function. This
 results in a 403 page because Wordpress believes that the submission did
 not originate from an administration page. The '''check_admin_referer()'''
 function works correctly - the submissions did not originate from a url
 containing '''/wp-admin/''', however, the function is incorrectly used in
 this circumstance.

 As implemented, Group changes could never have worked, however, I can't
 find anyone complaining about it in the forums. The BuddyPress plugin
 should probably contain it's own function that verifies admin referrers
 originating from the front-end.

 I have replaced my version of check_admin_referer by adding a rewritten
 function of the same name to my wp-config.php file. check_admin_referer is
 a pluggable function. Replacing the routine with one that checks the
 referring url differently fixes the problem.

 ________________
 Wordpress 3.3
 BuddyPress 1.5.2
 Php 5.3+
 MySQL 5.0

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/3861>
BuddyPress <http://buddypress.org/>
BuddyPress

More information about the buddypress-trac mailing list