[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor
buddypress-trac
noreply at wordpress.org
Mon Jun 15 13:15:16 UTC 2015
#6504: Messages viewable to any logged out visitor
-----------------------------------+--------------------
Reporter: CodeMonkeyBanana | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.3.2
Component: Component - Messaging | Version:
Severity: blocker | Resolution:
Keywords: has-patch |
-----------------------------------+--------------------
Comment (by sbrajesh):
There is a simple solution to the user id spoofing.
Unless we add roles/caps in future who can see other's message, w can
simply reset user_id in bp_has_message_threads after the parsing of the
arguments. Except if super admin, It should always reset to
get_current_user_id() for now.
That will avoid any future leak there.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:12>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list