Ticket #8728: 8728.02.patch

src/bp-groups/bp-groups-activity.php

@@ -651 +651 @@
  */
 function bp_groups_filter_activity_user_can_delete( $retval, $activity ) {
         // Bail if no current user.
+        // Todo: add second conditional statement to check the state to allow group activity deletions.
+        // e.g., "|| ! bp_enable_group_activity_deletions()".
         if ( ! is_user_logged_in() ) {
                 return $retval;
         }
 
-        if ( isset( $activity->component ) || 'groups' !== $activity->component ) {
+        // The second conditional statement does not allow "site admin" activity posts to be deleted by "non site admins".
+        if ( bp_current_user_can( 'bp_moderate' ) || bp_user_can( $activity->user_id, 'bp_moderate' ) ) {
                 return $retval;
         }
 
-        // Trust the passed value for administrators.
-        if ( bp_current_user_can( 'bp_moderate' ) ) {
-                return $retval;
-        }
+        $bp = buddypress();
 
-        // Group administrators or moderators can delete content in that group that doesn't belong to them.
-        $group_id = $activity->item_id;
-        if ( groups_is_user_admin( bp_loggedin_user_id(), $group_id ) || groups_is_user_mod( bp_loggedin_user_id(), $group_id ) ) {
-                $retval = true;
+        // Confine group activity deletion to the confines of the respective group where it is allowed.
+        if ( ! empty( $bp->groups->current_group->id ) ) {
+                $group_id = $bp->groups->current_group->id;
+
+                // Todo: break this out into additional conditionals that provide granularity as to who can to what, when.
+                if ( groups_is_user_creator( bp_loggedin_user_id(), $group_id ) || groups_is_user_admin( bp_loggedin_user_id(), $group_id ) || groups_is_user_mod( bp_loggedin_user_id(), $group_id ) ) {
+                        $retval = true;
+                }
         }
 
         return $retval;