[buddypress-trac] [BuddyPress Trac] #6941: Make sure inviter_id !== 0 before inviting a user to a group
buddypress-trac
noreply at wordpress.org
Fri Mar 4 20:31:40 UTC 2016
#6941: Make sure inviter_id !== 0 before inviting a user to a group
--------------------------------+------------------------------
Reporter: danbrellis | Owner: dcavins
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: Awaiting Review
Component: Component - Groups | Version: 2.5.0
Severity: normal | Resolution:
Keywords: |
--------------------------------+------------------------------
Comment (by danbrellis):
These were group invitations to existing groups. The calls were made
through a custom script (triggered by a $_GET variable) I had written that
uses `groups_invite_user()` and while I did check for a nonce, I didn't
check to make sure `bp_loggedin_user_id()` didn't return 0. Hence,
something/someone was able to bypass or replicate the nonce and make the
call to the script even though they were not logged in.
To your other point about membership requests to a group being recorded
with an `inviter_id` of 0, I didn't know that. However, I do know that all
of these calls were invites and not requests because I had complaints from
my users about receiving dozens of emails that they were invited to all
these groups.
PS- I am using a custom script and not BP's built in invite functionality
to call `groups_invite_user()` because my site doesn't utilize the friends
component.
Like I said, I figured BP already had checks in place and I learned my
lesson abut doing it myself, but if that added level of security doesn't
interfere with any normal operations, I would suggest adding it in since
it's simple enough and might help someone else out.
Thanks for the time.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6941#comment:3>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list