[buddypress-trac] [BuddyPress Trac] #8036: Sanity checks for member/group widget limits

buddypress-trac noreply at wordpress.org
Mon Jan 7 20:08:13 UTC 2019

#8036: Sanity checks for member/group widget limits
 Reporter:  boonebgorges  |      Owner:  (none)
     Type:  enhancement   |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:
 Severity:  normal        |   Keywords:  2nd-opinion
 I discovered an odd issue while debugging a client site for requests that
 triggered excessive numbers of SQL queries.

 A handful of our Members and Groups widgets allow the admin to enter a
 "max" count. If you enter 0 (or, say, 999999999) it gets passed along
 blindly to the widget constructor. On a large site, this can result in
 thousands of database queries.

 The problem is especially notable on Multisite installations where BP is
 network-active. Admins of individual sites (who may not be super admins,
 and may not know what they're doing) have the ability to add BP widgets to
 their sites. So this is likely not just an education problem.

 Realistically, there's no reason why anyone would ever need more than,
 say, 50 or 100 users in a widget. I propose we do something like the
 - Add a gloss to the widget admin UI that says "Up to x members", where
 'x' 50 or 100 or something like that
 - Validate on the server (in the client too, if we can easily manage it -
 this might be easier in the Customizer) that the number is between 1 and
 the max number.
 - Run the max number through a filter so that a network admin who really
 wants a higher number can write a plugin that sets a higher ceiling.

 If this seems like overkill, we could also just silently set any large
 number (or 0) to 25 or 50 or some sane number.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8036>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list