[buddypress-trac] [BuddyPress Trac] #6506: Should not try to redirect in bp_has_message_threads
buddypress-trac
noreply at wordpress.org
Mon Jun 15 19:12:50 UTC 2015
#6506: Should not try to redirect in bp_has_message_threads
-----------------------------------+------------------
Reporter: johnjamesjacoby | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.4
Component: Component - Messaging | Version: 1.0
Severity: normal | Resolution:
Keywords: has-patch |
-----------------------------------+------------------
Comment (by johnjamesjacoby):
Replying to [comment:7 boonebgorges]:
> Thanks, johnjamesjacoby. But again: this change will introduce a
security problem for anyone who is calling `bp_has_message_threads()` and
expecting it to do the necessary cap checks. Perhaps no one is doing this,
and perhaps we can make the change and document/advertise it, but I do
want it to be noted before we just pull the check out.
But it doesn't.
The current capability check only ever happens if a non-capable member
manually attempts to visit `/members/themself/messages/notices/` which is
already not hooked into `bp_screens` if the member does not have the
`bp_moderate` capability.
This means that if a developer is incorrectly using
`bp_has_message_threads()` like you're stating, this bit of code only
actually help protect them from themselves when a non-capable member
visits `/notices` having core-hacked `BP_Messages_Component::setup_nav()`
to remove the capability check in `setup_nav()`.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6506#comment:8>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list