[buddypress-trac] [BuddyPress Trac] #6941: Make sure inviter_id !== 0 before inviting a user to a group

buddypress-trac noreply at wordpress.org
Thu Mar 3 22:39:19 UTC 2016

#6941: Make sure inviter_id !== 0 before inviting a user to a group
 Reporter:  danbrellis          |      Owner:
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Component - Groups  |    Version:  2.5.0
 Severity:  normal              |   Keywords:
 Because of some errors on my end with checking permissions, my members got
 hundreds of spam invitations to every group on the site. I should have had
 the proper systems in place to prevent this, but while i was investigating
 I came across something in core that would have prevented this also.

 In `groups_invite_user()` (line 1090 of bp-groups/bp-groups-
 functions.php), we should check if the inviter id is not 0. In my case,
 all of the spam invites had an inviter_id of 0.

 It could be as simple as ammending line 1103:

 if ( empty( $user_id ) || empty( $group_id ) || empty( $inviter_id) )
   return false;

 If I'm wrong in assuming that every invitation should have an inviter, I
 apologize for jumping to conclusions. Also, I'm sure there are other
 methods in place to correct this, but when someone is developing a plugin
 (like I was) that uses this function, it would be a nice back-up.
 Especially since in the query for invites in
 `BP_Groups_Member::get_invites()`, the statement includes
 AND m.inviter_id != 0

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6941>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list