Skip to:
Content

BuddyPress.org

Ticket #8167: 8167.2.diff

File 8167.2.diff, 1.9 KB (added by dcavins, 5 years ago)

Use the same logic in the "delete invitations" routine as was used in the "can edit" permissions calculation.

  • src/bp-templates/bp-nouveau/includes/groups/ajax.php

    diff --git src/bp-templates/bp-nouveau/includes/groups/ajax.php src/bp-templates/bp-nouveau/includes/groups/ajax.php
    index 718f1c489..4d4ba9451 100644
    function bp_nouveau_ajax_remove_group_invite() { 
    470470                wp_send_json_error( $response );
    471471        }
    472472
    473         // Verify pending invite.
    474         $invites_args = array(
    475                 'is_confirmed' => false,
    476                 'is_banned'    => null,
    477                 'is_admin'     => null,
    478                 'is_mod'       => null,
    479         );
    480         $invites = bp_get_user_groups( $user_id, $invites_args );
    481         if ( empty( $invites ) ) {
     473        // Verify that a sent invite exists.
     474        $inviter_ids = groups_get_invites( array(
     475                'user_id'     => $user_id,
     476                'item_id'     => $group_id,
     477                'invite_sent' => 'sent',
     478                'fields'      => 'inviter_ids'
     479        ) );
     480
     481        if ( empty( $inviter_ids ) ) {
    482482                wp_send_json_error( $response );
    483483        }
    484484
    485         if ( ! groups_is_user_admin( bp_loggedin_user_id(), $group_id ) ) {
     485        // Is the current user the inviter?
     486        $inviter_id = in_array( bp_loggedin_user_id(), $inviter_ids, true ) ? bp_loggedin_user_id() : false;
     487
     488        // A site moderator, group admin or the inviting user should be able to remove an invitation.
     489        if ( ! bp_is_item_admin() && ! $inviter_id ) {
    486490                wp_send_json_error( $response );
    487491        }
    488492
    489         if ( BP_Groups_Member::check_for_membership_request( $user_id, $group_id ) ) {
     493        if ( groups_is_user_member( $user_id, $group_id ) ) {
    490494                wp_send_json_error(
    491495                        array(
    492496                                'feedback' => __( 'The member is already a member of the group.', 'buddypress' ),
    function bp_nouveau_ajax_remove_group_invite() { 
    496500                );
    497501        }
    498502
    499         // Remove the unsent invitation.
    500         if ( ! groups_uninvite_user( $user_id, $group_id ) ) {
     503        // Remove the invitation.
     504        if ( ! groups_uninvite_user( $user_id, $group_id, $inviter_id ) ) {
    501505                wp_send_json_error(
    502506                        array(
    503507                                'feedback' => __( 'Group invitation could not be removed.', 'buddypress' ),