Ticket #7048: 7048-5.diff
| File 7048-5.diff, 9.4 KB (added by , 8 years ago) |
|---|
-
src/bp-activity/bp-activity-functions.php
diff --git src/bp-activity/bp-activity-functions.php src/bp-activity/bp-activity-functions.php index 6fa46dbef..a0895fb25 100644
function bp_activity_get_permalink( $activity_id, $activity_obj = false ) { 3077 3077 return apply_filters_ref_array( 'bp_activity_get_permalink', array( $link, &$activity_obj ) ); 3078 3078 } 3079 3079 3080 /** 3081 * Can a user see a particular activity item? 3082 * 3083 * @since 3.0.0 3084 * 3085 * @param BP_Activity_Activity $activity Activity object. 3086 * @param integer $user_id User ID. 3087 * @return boolean True on success, false on failure. 3088 */ 3089 function bp_activity_user_can_read( $activity, $user_id = 0 ) { 3090 $bp = buddypress(); 3091 $retval = false; 3092 3093 // Fallback. 3094 if ( empty( $user_id ) ) { 3095 $user_id = bp_loggedin_user_id(); 3096 } 3097 3098 // Admins and moderators can see everything. 3099 if ( bp_current_user_can( 'bp_moderate' ) ) { 3100 $retval = true; 3101 } 3102 3103 // If activity author match user, allow access as well. 3104 if ( $user_id === $activity->user_id ) { 3105 $retval = true; 3106 } 3107 3108 // If activity is from a group, do an extra cap check. 3109 if ( ! $retval && bp_is_active( 'groups' ) && $activity->component === $bp->groups->id ) { 3110 $group_id = $activity->item_id; 3111 3112 // Check to see if the user has access to the activity's parent group. 3113 $group = groups_get_group( $group_id ); 3114 if ( $group ) { 3115 $retval = $group->user_has_access; 3116 } 3117 3118 // Non-members have no access. 3119 if ( ! groups_is_user_member( $user_id, $group_id ) ) { 3120 $retval = false; 3121 } 3122 3123 // Group admins and mods have access as well. 3124 if ( groups_is_user_admin( $user_id, $group_id ) || groups_is_user_mod( $user_id, $group_id ) ) { 3125 $retval = true; 3126 } 3127 } 3128 3129 /** 3130 * Filters whether the current user has access to an activity item. 3131 * 3132 * @since 3.0.0 3133 * 3134 * @param bool $retval Return value. 3135 * @param int $user_id Current user ID. 3136 * @param BP_Activity_Activity $activity Activity object. 3137 */ 3138 return apply_filters( 'bp_activity_user_can_read', $retval, $user_id, $activity ); 3139 } 3140 3080 3141 /** 3081 3142 * Hide a user's activity. 3082 3143 * -
src/bp-activity/bp-activity-screens.php
diff --git src/bp-activity/bp-activity-screens.php src/bp-activity/bp-activity-screens.php index 7de6980a4..6b6c43c15 100644
add_action( 'bp_activity_screen_mentions', 'bp_activity_reset_my_new_mentions' ) 195 195 * 196 196 * @since 1.2.0 197 197 * 198 * @return bool|string Boolean on false or the template for a single activity item on success. 198 199 */ 199 200 function bp_activity_screen_single_activity_permalink() { 200 $bp = buddypress();201 202 201 // No displayed user or not viewing activity component. 203 if ( ! bp_is_activity_component() )202 if ( ! bp_is_activity_component() ) { 204 203 return false; 204 } 205 205 206 if ( ! bp_current_action() || !is_numeric( bp_current_action() ) ) 206 $action = bp_current_action(); 207 if ( ! $action || ! is_numeric( $action ) ) { 207 208 return false; 209 } 208 210 209 211 // Get the activity details. 210 $activity = bp_activity_get_specific( array( 'activity_ids' => bp_current_action(), 'show_hidden' => true, 'spam' => 'ham_only', ) ); 212 $activity = bp_activity_get_specific( array( 213 'activity_ids' => $action, 214 'show_hidden' => true, 215 'spam' => 'ham_only', 216 ) ); 211 217 212 218 // 404 if activity does not exist 213 219 if ( empty( $activity['activities'][0] ) || bp_action_variables() ) { … … function bp_activity_screen_single_activity_permalink() { 218 224 $activity = $activity['activities'][0]; 219 225 } 220 226 221 // Default access is true.222 $has_access = true;223 224 // If activity is from a group, do an extra cap check.225 if ( isset( $bp->groups->id ) && $activity->component == $bp->groups->id ) {226 227 // Activity is from a group, but groups is currently disabled.228 if ( !bp_is_active( 'groups') ) {229 bp_do_404();230 return;231 }232 233 // Check to see if the user has access to to the activity's parent group.234 if ( $group = groups_get_group( $activity->item_id ) ) {235 $has_access = $group->user_has_access;236 }237 }238 239 // If activity author does not match displayed user, block access.240 if ( true === $has_access && bp_displayed_user_id() !== $activity->user_id ) {241 $has_access = false;242 }243 244 227 /** 245 * Filters the access permission for a single activity view.228 * Check user access to the activity item. 246 229 * 247 * @since 1.2.0 248 * 249 * @param array $access Array holding the current $has_access value and current activity item instance. 230 * @since 3.0.0 250 231 */ 251 $has_access = apply_filters_ref_array( 'bp_activity_permalink_access', array( $has_access, &$activity) );232 $has_access = bp_activity_user_can_read( $activity, bp_displayed_user_id() ); 252 233 253 234 /** 254 235 * Fires before the loading of a single activity template file. … … function bp_activity_screen_single_activity_permalink() { 273 254 } else { 274 255 $url = sprintf( 275 256 wp_login_url( 'wp-login.php?redirect_to=%s' ), 276 esc_url_raw( bp_activity_get_permalink( bp_current_action()) )257 esc_url_raw( bp_activity_get_permalink( $action ) ) 277 258 ); 278 259 } 279 260 … … function bp_activity_screen_single_activity_permalink() { 287 268 * 288 269 * @param string $template Path to the activity template to load. 289 270 */ 290 bp_core_load_template( apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' ) ); 271 $template = apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' ); 272 273 // Load the template. 274 bp_core_load_template( $template ); 291 275 } 292 276 add_action( 'bp_screens', 'bp_activity_screen_single_activity_permalink' ); 293 277 -
tests/phpunit/testcases/activity/functions.php
diff --git tests/phpunit/testcases/activity/functions.php tests/phpunit/testcases/activity/functions.php index a4b831d0d..682942b17 100644
Bar!'; 1475 1475 $this->assertSame( array(), $found['activities'] ); 1476 1476 } 1477 1477 1478 /** 1479 * @group bp_activity_user_can_read 1480 */ 1481 public function test_user_can_access_their_own_activity() { 1482 $u = self::factory()->user->create(); 1483 1484 $a = self::factory()->activity->create( array( 1485 'user_id' => $u, 1486 ) ); 1487 1488 $o = self::factory()->activity->get_object_by_id( $a ); 1489 1490 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1491 } 1492 1493 /** 1494 * @group bp_activity_user_can_read 1495 */ 1496 public function test_user_cannot_access_someone_elses_activity() { 1497 $u = self::factory()->user->create(); 1498 $u2 = self::factory()->user->create(); 1499 1500 $a = self::factory()->activity->create( array( 1501 'user_id' => $u2, 1502 ) ); 1503 1504 $o = self::factory()->activity->get_object_by_id( $a ); 1505 1506 $this->assertFalse( bp_activity_user_can_read( $o, $u ) ); 1507 $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) ); 1508 } 1509 1510 /** 1511 * @group bp_activity_user_can_read 1512 */ 1513 public function test_admin_can_access_someone_elses_activity() { 1514 $u = self::factory()->user->create(); 1515 $u2 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 1516 1517 $a = self::factory()->activity->create( array( 1518 'user_id' => $u, 1519 ) ); 1520 1521 $o = self::factory()->activity->get_object_by_id( $a ); 1522 1523 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1524 1525 $this->set_current_user( $u2 ); 1526 $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) ); 1527 } 1528 1529 /** 1530 * @group bp_activity_user_can_read 1531 */ 1532 public function test_group_admin_access_someone_elses_activity_in_a_grou() { 1533 $u = self::factory()->user->create(); 1534 $u2 = self::factory()->user->create(); 1535 1536 $g = self::factory()->group->create(); 1537 1538 $a = self::factory()->activity->create( array( 1539 'component' => buddypress()->groups->id, 1540 'user_id' => $u, 1541 'item_id' => $g, 1542 ) ); 1543 1544 $o = self::factory()->activity->get_object_by_id( $a ); 1545 1546 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1547 1548 self::add_user_to_group( $u2, $g ); 1549 1550 $m1 = new BP_Groups_Member( $u2, $g ); 1551 $m1->promote( 'admin' ); 1552 1553 $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) ); 1554 } 1555 1556 /** 1557 * @group bp_activity_user_can_read 1558 */ 1559 public function test_non_member_cannot_access_to_someone_elses_activity_in_a_group() { 1560 $u = self::factory()->user->create(); 1561 $u2 = self::factory()->user->create(); 1562 1563 $g = self::factory()->group->create(); 1564 1565 self::add_user_to_group( $u, $g ); 1566 1567 $a = self::factory()->activity->create( array( 1568 'component' => buddypress()->groups->id, 1569 'user_id' => $u, 1570 'item_id' => $g, 1571 ) ); 1572 1573 $o = self::factory()->activity->get_object_by_id( $a ); 1574 1575 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1576 $this->assertFalse( bp_activity_user_can_read( $o, $u2 ) ); 1577 } 1578 1579 /** 1580 * @group bp_activity_user_can_read 1581 */ 1582 public function test_user_access_to_his_activity_in_disabled_group() { 1583 $u = self::factory()->user->create(); 1584 $g = self::factory()->group->create(); 1585 1586 self::add_user_to_group( $u, $g ); 1587 1588 $a = self::factory()->activity->create( array( 1589 'component' => buddypress()->groups->id, 1590 'user_id' => $u, 1591 'item_id' => $g, 1592 ) ); 1593 1594 $o = self::factory()->activity->get_object_by_id( $a ); 1595 1596 groups_edit_group_settings( $g, 0, 'hidden' ); 1597 1598 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1599 1600 groups_edit_group_settings( $g, 0, 'private' ); 1601 1602 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1603 } 1604 1478 1605 public function check_activity_caches() { 1479 1606 foreach ( $this->acaches as $k => $v ) { 1480 1607 $this->acaches[ $k ] = wp_cache_get( $k, 'bp_activity' );