[buddypress-trac] [BuddyPress Trac] #7683: friends_add_friend doesnt check if user ids exist
buddypress-trac
noreply at wordpress.org
Fri Mar 2 20:39:21 UTC 2018
#7683: friends_add_friend doesnt check if user ids exist
-----------------------------------+------------------------
Reporter: modemlooper | Owner: djpaul
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 3.0
Component: Friends | Version: 2.9.2
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion |
-----------------------------------+------------------------
Changes (by boonebgorges):
* keywords: => has-patch 2nd-opinion
* owner: => djpaul
* status: new => reviewing
* milestone: Awaiting Review => 3.0
Comment:
Thanks for the additional info, @modemlooper.
The potential for harm here is pretty low. If someone inserts a dummy
friendship, it won't show up in any friendship lists, because those lists
- which are powered by `bp_has_members()` - *do* check against the users
table. The only potential mischief is filling up the table with bad data.
I'm attaching two different patches. The `ajax` patch fixes the problem in
the "client" functions, as I've suggested. The `business` patch fixes it
in `friends_add_friend()`, as @modemlooper and others have suggested. I
will note that, aside from my arguments above about consistency and
leanness in business functions, there's another reason to go with the
`ajax` approach: `friends_add_friend()` etc return a simple `false` value
on failure, no matter the nature of the failure, so it's not possible to
have a tailored error message.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7683#comment:8>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list