[buddypress-trac] [BuddyPress Trac] #7048: Move permission checks in `bp_activity_screen_single_activity_permalink` into new function
buddypress-trac
noreply at wordpress.org
Thu Jan 4 12:38:21 UTC 2018
#7048: Move permission checks in `bp_activity_screen_single_activity_permalink`
into new function
--------------------------------------+-----------------------
Reporter: DJPaul | Owner:
Type: enhancement | Status: assigned
Priority: high | Milestone: 3.0
Component: Activity | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests |
--------------------------------------+-----------------------
Comment (by espellcaste):
@DJPaul The current implementation took that into account.
> if ( ! $retval && bp_is_active( 'groups' ) && $activity->component ===
$bp->groups->id ) {
This line check if the group component is active and if the current
activity is group related. The `isset($bp->groups->id` part was a mistake
in my opinion, used after the `bp_is_active( 'groups' )` was not
necessary.
> Otherwise the patch leaks private/hidden Group Activity items
It only shows to those that we allow access to, regardless if it is
private or not.
It's worth mentioning this is not blocking user to see the group, it is
allowing/blocking to see the permalink url.
Does that mean users that created activities and later the group was
disabled can not see via url their activities and its comments?
Is it removed from his notification feed, history, after a group is
disabled?
> needs to prevent access to Group Activity items when the Groups
component is disabled
So no access to its creators, admins, mods?? :/
> $retval = $group->user_has_access;
Then it goes to check if the user has access to the group activity.
So no leakage here.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7048#comment:21>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list