[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor

buddypress-trac noreply at wordpress.org
Mon Jun 15 13:20:40 UTC 2015


#6504: Messages viewable to any logged out visitor
-----------------------------------+--------------------
 Reporter:  CodeMonkeyBanana       |       Owner:
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  2.3.2
Component:  Component - Messaging  |     Version:
 Severity:  blocker                |  Resolution:
 Keywords:  has-patch              |
-----------------------------------+--------------------

Comment (by boonebgorges):

 Replying to [comment:12 sbrajesh]:
 > There is a simple solution to the user id spoofing.
 > Unless we add roles/caps in future who can see other's message, w can
 simply reset user_id in bp_has_message_threads after the parsing of the
 arguments. Except if super admin, It should always reset to
 get_current_user_id() for now.
 >
 > That will avoid any future leak there.

 Yes, this is probably the most secure thing to do, though I'm not a big
 fan of doing these kinds of blocks at the level of the template function.
 I'm going to ping you on Slack to chat more about it :)

--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:13>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac


More information about the buddypress-trac mailing list