Ticket #8728: 8728.03.patch

src/bp-groups/bp-groups-activity.php

@@ -651 +651 @@
  */
 function bp_groups_filter_activity_user_can_delete( $retval, $activity ) {
         // Bail if no current user.
+        // Todo: add second conditional statement to check the state to allow group activity deletions.
+        // e.g., "|| ! bp_enable_group_activity_deletions()".
         if ( ! is_user_logged_in() ) {
                 return $retval;
         }
 
-        if ( isset( $activity->component ) || 'groups' !== $activity->component ) {
+        if ( isset( $activity->component ) && 'groups' !== $activity->component ) {
                 return $retval;
         }
 
-        // Trust the passed value for administrators.
-        if ( bp_current_user_can( 'bp_moderate' ) ) {
+        // The second conditional statement does not allow "site admin" activity posts to be deleted by "non site admins".
+        if ( bp_current_user_can( 'bp_moderate' ) || bp_user_can( $activity->user_id, 'bp_moderate' ) ) {
                 return $retval;
         }
 
-        // Group administrators or moderators can delete content in that group that doesn't belong to them.
         $group_id = $activity->item_id;
-        if ( groups_is_user_admin( bp_loggedin_user_id(), $group_id ) || groups_is_user_mod( bp_loggedin_user_id(), $group_id ) ) {
+
+        // Group creator, administrators or moderators can delete content in which deletions are allowed for that group.
+        // Todo: break this out into additional conditionals that provide granularity as to who can to what, when.
+        if ( groups_is_user_creator( bp_loggedin_user_id(), $group_id ) || groups_is_user_admin( bp_loggedin_user_id(), $group_id ) || groups_is_user_mod( bp_loggedin_user_id(), $group_id ) ) {
                 $retval = true;
         }