[buddypress-trac] [BuddyPress] #5116: groups_delete_group() checks user group admin status

[buddypress-trac]

#5116: groups_delete_group() checks user group admin status
--------------------------+------------------
 Reporter:  ericlewis     |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  1.9
Component:  Groups        |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+------------------
Changes (by boonebgorges):

 * milestone:  Awaiting Review => 1.9


Comment:

 I've run into this before, and I agree that it's odd. Your workaround is
 OK, but there's a bunch of other stuff happening in this function that
 you'd also need to reproduce.

 In any case, for the reasons you cite, we should be doing
 `current_user_can()` checks, etc, at the level of the screen function, not
 here.

 In BP, `groups_delete_group()` is called in three places, and each time we
 do a separate check for permissions before calling it. So removing the
 permissions check from the function wouldn't cause any problems in BP.
 However, it's possible that removing the check would cause security issues
 in plugins that are currently implicitly relying on the check. My
 inclination is to do a search of the wordpress.org plugin repo to see if
 that's the case. If the plugin repo looks good, we'll remove the check,
 and post to bpdevel and the codex to let people know about the change (in
 case of non-public plugins etc). (I'm happy to do this search myself, but
 I won't be at my computer with a checkout of the whole wp.org plugin repo
 for a couple days.)

--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5116#comment:1>
BuddyPress <http://buddypress.org/>
BuddyPress