[buddypress-trac] [BuddyPress Trac] #6941: Make sure inviter_id !== 0 before inviting a user to a group

buddypress-trac noreply at wordpress.org
Fri Mar 4 20:31:40 UTC 2016

#6941: Make sure inviter_id !== 0 before inviting a user to a group
 Reporter:  danbrellis          |       Owner:  dcavins
     Type:  defect (bug)        |      Status:  accepted
 Priority:  normal              |   Milestone:  Awaiting Review
Component:  Component - Groups  |     Version:  2.5.0
 Severity:  normal              |  Resolution:
 Keywords:                      |

Comment (by danbrellis):

 These were group invitations to existing groups. The calls were made
 through a custom script (triggered by a $_GET variable) I had written that
 uses `groups_invite_user()` and while I did check for a nonce, I didn't
 check to make sure `bp_loggedin_user_id()` didn't return 0. Hence,
 something/someone was able to bypass or replicate the nonce and make the
 call to the script even though they were not logged in.

 To your other point about membership requests to a group being recorded
 with an `inviter_id` of 0, I didn't know that. However, I do know that all
 of these calls were invites and not requests because I had complaints from
 my users about receiving dozens of emails that they were invited to all
 these groups.

 PS- I am using a custom script and not BP's built in invite functionality
 to call `groups_invite_user()` because my site doesn't utilize the friends

 Like I said, I figured BP already had checks in place and I learned my
 lesson abut doing it myself, but if that added level of security doesn't
 interfere with any normal operations, I would suggest adding it in since
 it's simple enough and might help someone else out.

 Thanks for the time.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6941#comment:3>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list