[buddypress-trac] [BuddyPress Trac] #7936: joinleave_group not working on private Group

buddypress-trac noreply at wordpress.org
Fri Jul 27 21:03:50 UTC 2018 

#7936: joinleave_group not working on private Group
--------------------------+---------------------
 Reporter:  ravipatel     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  high          |   Milestone:  3.2.0
Component:  Groups        |     Version:  3.0.0
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+---------------------
Changes (by boonebgorges):

 * version:   => 3.0.0
 * milestone:  Awaiting Review => 3.2.0


Comment:

 There does appear to be a problem here.

 1. With userA, create a Private group
 2. With userB - who has the 'bp_moderate' cap - go to the directory and
 click 'Request Membership'

 The problem is that 'joinleave_group' requests are ambiguous. The client
 doesn't specify whether the correct action is a "join" or a "request" or a
 "leave" or an "accept". Prior to [11776], it used the user's group
 membership status to infer the purpose of the request. After [11776],
 permission checks are used to infer the purpose of the request, and the
 permission checks *contain* a membership-status check. The problem is that
 the permission checks also do other things.

 In particular, 'bp_moderate' users are allowed to do anything, so
 `bp_current_user_can()` checks always return `true`. This means that
 https://buddypress.trac.wordpress.org/browser/tags/3.1.0/src/bp-templates
 /bp-legacy/buddypress-functions.php?marks=1515#L1514 returns true for an
 admin user, even on private groups where membership must be requested.
 When this happens, `check_ajax_referer( 'groups_join_group' )` fails,
 because the nonce for this request is actually for
 'groups_request_membership'.

 To fix this, we need to separate out the permission check from the logic
 check. A suggested patch is attached, for bp-legacy.

 Note that the patch doesn't fix what appears to be a typo related to the
 permission check for accepting invitations - @dcavins is this meant to be
 'groups_request_membership'? See also the error message that follows.

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7936#comment:9>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list