Ticket #7048: 7048.diff
| File 7048.diff, 7.3 KB (added by , 8 years ago) |
|---|
-
src/bp-activity/bp-activity-functions.php
diff --git src/bp-activity/bp-activity-functions.php src/bp-activity/bp-activity-functions.php index 6fa46dbef..052a294eb 100644
function bp_activity_get_permalink( $activity_id, $activity_obj = false ) { 3077 3077 return apply_filters_ref_array( 'bp_activity_get_permalink', array( $link, &$activity_obj ) ); 3078 3078 } 3079 3079 3080 /** 3081 * Can a user see a particular activity item? 3082 * 3083 * @since 3.0.0 3084 * 3085 * @param object $activity Activity object. 3086 * @param integer $user_id User ID. 3087 * @return boolean True on success, false on failure. 3088 */ 3089 function bp_activity_permalink_access( $activity, $user_id = 0 ) { 3090 $bp = buddypress(); 3091 $retval = false; 3092 3093 // Fallback. 3094 if ( empty( $user_id ) ) { 3095 $user_id = bp_loggedin_user_id(); 3096 } 3097 3098 // Admins and moderators can see everything. 3099 if ( bp_current_user_can( 'bp_moderate' ) ) { 3100 $retval = true; 3101 } 3102 3103 // If activity is from a group, do an extra cap check. 3104 if ( bp_is_active( 'groups' ) && $activity->component === $bp->groups->id ) { 3105 $group_id = $activity->item_id; 3106 3107 // Check to see if the user has access to the activity's parent group. 3108 $group = groups_get_group( $group_id ); 3109 if ( $group ) { 3110 $retval = $group->user_has_access; 3111 } 3112 3113 // Group admins and mods have access as well. 3114 if ( groups_is_user_admin( $user_id, $group_id ) || groups_is_user_mod( $user_id, $group_id ) ) { 3115 $retval = true; 3116 } 3117 } 3118 3119 // If activity author match user, allow access as well. 3120 if ( $user_id === $activity->user_id ) { 3121 $retval = true; 3122 } 3123 3124 /** 3125 * Filters whether the current user can has access to an activity item. 3126 * 3127 * @since 3.0.0 3128 * 3129 * @param bool $retval Return value. 3130 * @param int $user_id Current user ID. 3131 * @param object $activity Activity obhect. 3132 */ 3133 return apply_filters( 'bp_activity_permalink_access', $retval, $user_id, $activity ); 3134 } 3135 3080 3136 /** 3081 3137 * Hide a user's activity. 3082 3138 * -
src/bp-activity/bp-activity-screens.php
diff --git src/bp-activity/bp-activity-screens.php src/bp-activity/bp-activity-screens.php index 7de6980a4..43ebdd45c 100644
add_action( 'bp_activity_screen_mentions', 'bp_activity_reset_my_new_mentions' ) 195 195 * 196 196 * @since 1.2.0 197 197 * 198 * @return bool|string Boolean on false or the template for a single activity item on success. 198 199 */ 199 200 function bp_activity_screen_single_activity_permalink() { 200 $bp = buddypress();201 202 201 // No displayed user or not viewing activity component. 203 if ( ! bp_is_activity_component() )202 if ( ! bp_is_activity_component() ) { 204 203 return false; 204 } 205 205 206 if ( ! bp_current_action() || !is_numeric( bp_current_action() ) ) 206 $action = bp_current_action(); 207 if ( ! $action || ! is_numeric( $action ) ) { 207 208 return false; 209 } 208 210 209 211 // Get the activity details. 210 $activity = bp_activity_get_specific( array( 'activity_ids' => bp_current_action(), 'show_hidden' => true, 'spam' => 'ham_only', ) ); 212 $activity = bp_activity_get_specific( array( 213 'activity_ids' => $action, 214 'show_hidden' => true, 215 'spam' => 'ham_only', 216 ) ); 211 217 212 218 // 404 if activity does not exist 213 219 if ( empty( $activity['activities'][0] ) || bp_action_variables() ) { … … function bp_activity_screen_single_activity_permalink() { 218 224 $activity = $activity['activities'][0]; 219 225 } 220 226 221 // Default access is true.222 $has_access = true;223 224 // If activity is from a group, do an extra cap check.225 if ( isset( $bp->groups->id ) && $activity->component == $bp->groups->id ) {226 227 // Activity is from a group, but groups is currently disabled.228 if ( !bp_is_active( 'groups') ) {229 bp_do_404();230 return;231 }232 233 // Check to see if the user has access to to the activity's parent group.234 if ( $group = groups_get_group( $activity->item_id ) ) {235 $has_access = $group->user_has_access;236 }237 }238 239 // If activity author does not match displayed user, block access.240 if ( true === $has_access && bp_displayed_user_id() !== $activity->user_id ) {241 $has_access = false;242 }243 244 227 /** 245 * Filters the access permission for a single activity view.228 * Check user access to the activity item. 246 229 * 247 * @since 1.2.0 248 * 249 * @param array $access Array holding the current $has_access value and current activity item instance. 230 * @since 3.0.0 250 231 */ 251 $has_access = apply_filters_ref_array( 'bp_activity_permalink_access', array( $has_access, &$activity) );232 $has_access = bp_activity_permalink_access( $activity, bp_displayed_user_id() ); 252 233 253 234 /** 254 235 * Fires before the loading of a single activity template file. … … function bp_activity_screen_single_activity_permalink() { 273 254 } else { 274 255 $url = sprintf( 275 256 wp_login_url( 'wp-login.php?redirect_to=%s' ), 276 esc_url_raw( bp_activity_get_permalink( bp_current_action()) )257 esc_url_raw( bp_activity_get_permalink( $action ) ) 277 258 ); 278 259 } 279 260 … … function bp_activity_screen_single_activity_permalink() { 287 268 * 288 269 * @param string $template Path to the activity template to load. 289 270 */ 290 bp_core_load_template( apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' ) ); 271 $template = apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' ); 272 273 // Load the template. 274 bp_core_load_template( $template ); 291 275 } 292 276 add_action( 'bp_screens', 'bp_activity_screen_single_activity_permalink' ); 293 277 -
tests/phpunit/testcases/activity/functions.php
diff --git tests/phpunit/testcases/activity/functions.php tests/phpunit/testcases/activity/functions.php index a4b831d0d..9ac402684 100644
Bar!'; 1475 1475 $this->assertSame( array(), $found['activities'] ); 1476 1476 } 1477 1477 1478 /** 1479 * @group bp_activity_permalink_access 1480 */ 1481 public function test_bp_activity_permalink_access() { 1482 $a = self::factory()->user->create(); 1483 $b = self::factory()->user->create(); 1484 1485 $i = self::factory()->activity->create( array( 1486 'user_id' => $b, 1487 ) ); 1488 1489 $a1 = $this->get_activity_object( $i ); 1490 1491 $this->assertFalse( bp_activity_permalink_access( $a1, $a ) ); 1492 $this->assertTrue( bp_activity_permalink_access( $a1, $b ) ); 1493 1494 /*****/ 1495 1496 // Test Group Admins. 1497 $g = self::factory()->group->create( array( 1498 'status' => 'public', 1499 ) ); 1500 1501 $i2 = self::factory()->activity->create( array( 1502 'component' => buddypress()->groups->id, 1503 'user_id' => $a, 1504 'item_id' => $g, 1505 ) ); 1506 1507 $a2 = $this->get_activity_object( $i2 ); 1508 1509 $d = self::factory()->user->create(); 1510 self::add_user_to_group( $d, $g ); 1511 1512 $m1 = new BP_Groups_Member( $d, $g ); 1513 $m1->promote( 'admin' ); 1514 1515 $this->assertTrue( bp_activity_permalink_access( $a2, $d ) ); 1516 1517 /*****/ 1518 1519 // Test admins. 1520 $c = self::factory()->user->create( array( 'role' => 'administrator' ) ); 1521 1522 $this->set_current_user( $c ); 1523 $this->assertTrue( bp_activity_permalink_access( $a1, $c ) ); 1524 $this->assertTrue( bp_activity_permalink_access( $a2, $c ) ); 1525 } 1526 1527 protected function get_activity_object( $activity_id ) { 1528 $found = bp_activity_get_specific( array( 1529 'activity_ids' => array( $activity_id ), 1530 ) ); 1531 1532 return $found['activities'][0]; 1533 } 1534 1478 1535 public function check_activity_caches() { 1479 1536 foreach ( $this->acaches as $k => $v ) { 1480 1537 $this->acaches[ $k ] = wp_cache_get( $k, 'bp_activity' );