[buddypress-trac] [BuddyPress Trac] #8675: invites.php should query the displaued user not the logged in users invites
buddypress-trac
noreply at wordpress.org
Thu Apr 7 15:22:18 UTC 2022
#8675: invites.php should query the displaued user not the logged in users invites
------------------------------------+---------------------
Reporter: shawfactor | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 11.0.0
Component: Groups | Version:
Severity: normal | Resolution:
Keywords: has-patch dev-feedback |
------------------------------------+---------------------
Comment (by dcavins):
I believe this used to be done as "security" so that a user couldn't view
another user's group invitations (there used to be several instances like
this in the member profile, if I'm remembering correctly). But, I agree,
it's wrong, and the right behavior is to show the invites belonging to the
profile that's being viewed, AND preventing access to that screen unless
the logged-in user is the displayed user or can `bp_moderate`. The legacy
template pack relies on the behavior of `bp_has_member_invitations()`
https://github.com/buddypress/buddypress/blob/ce0b69c4c8b2b27fd1b78ebd02f2145a209cef53/src
/bp-members/bp-members-template.php#L3126 which will show the displayed
user when set. Should Nouveau just use that function instead?
Thanks!
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8675#comment:6>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list