[buddypress-trac] [BuddyPress Trac] #7298: xprofile fied user visibility settings regression
buddypress-trac
noreply at wordpress.org
Fri Oct 21 15:33:48 UTC 2016
#7298: xprofile fied user visibility settings regression
------------------------------+--------------------
Reporter: hnla | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.1
Component: Extended Profile | Version:
Severity: major | Resolution:
Keywords: needs-patch |
------------------------------+--------------------
Comment (by DJPaul):
Two issues. Our code relied on something in WordPress that I don't think
should have worked, so here's a WordPress patch just for reference and
reporting upstream if someone wants to do that:
https://gist.github.com/paulgibbs/1f0c9b60374c45c4f0f1ed27bcd9f952
`wp_get_current_user` returns a blank `WP_User` object when you are not
logged in, but the `empty` check here inadequate to follow the intention
of this code block (to bail out early). As a consequence, a later call to
`WP_User->has_cap` was being made, which invokes `map_meta_cap` which
calls the filter of the same name, eventually letting our
`BuddyPress_xprofile_map_meta_caps`, which allows anonymous users to have
the `bp_xprofile_change_field_visibility` capability, which is directly
related to the bug @hnla found.
We changed how `bp_current_user_can` and friends work in 2.7, which
removed the call to `current_user_can_for_blog` (which is where that WP
patch applies).
I am still looking how best to fix this in BuddyPress.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7298#comment:4>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list