Changeset 1032 for trunk/bp-friends.php

Timestamp:

02/09/2009 06:52:51 AM (17 years ago)

Author:

apeatling

Message:

Added nonce security checks to all BuddyPress actions. Fixes #454

File:

• trunk/bp-friends.php (modified) (5 diffs)

trunk/bp-friends.php

@@ -73 +73 @@
     if ( is_site_admin() ) {
         /* Need to check db tables exist, activate hook no-worky in mu-plugins folder. */
-        if ( ( false == $wpdb->get_var( "SHOW TABLES LIKE '%{$bp->friends->table_name}%'") ) || ( get_site_option('bp-friends-db-version') < BP_FRIENDS_DB_VERSION )  )
+        if ( ( !$wpdb->get_var( "SHOW TABLES LIKE '%{$bp->friends->table_name}%'") ) || ( get_site_option('bp-friends-db-version') < BP_FRIENDS_DB_VERSION )  )
             friends_install();
     }
@@ -484 +484 @@
     global $bp;
     
+    /* Check the nonce */
+    if ( !check_admin_referer( 'friends_add_friend' ) ) 
+        return false;
+    
     $friendship = new BP_Friends_Friendship;
     
@@ -513 +517 @@
 function friends_remove_friend( $initiator_userid, $friend_userid ) {
     global $bp;
+
+    /* Check the nonce */
+    if ( !check_admin_referer( 'friends_remove_friend' ) ) 
+        return false;
         
     $friendship_id = BP_Friends_Friendship::get_friendship_id( $initiator_userid, $friend_userid );
@@ -532 +540 @@
 
 function friends_accept_friendship( $friendship_id ) {
+    /* Check the nonce */
+    if ( !check_admin_referer( 'friends_accept_friendship' ) ) 
+        return false;
+        
     $friendship = new BP_Friends_Friendship( $friendship_id, true, false );
-    
+
     if ( !$friendship->is_confirmed && BP_Friends_Friendship::accept( $friendship_id ) ) {
         friends_update_friend_totals( $friendship->initiator_user_id, $friendship->friend_user_id );
@@ -555 +567 @@
 
 function friends_reject_friendship( $friendship_id ) {
+    /* Check the nonce */
+    if ( !check_admin_referer( 'friends_reject_friendship' ) ) 
+        return false;
+        
     $friendship = new BP_Friends_Friendship( $friendship_id, true, false );