Skip to:
Content

BuddyPress.org

Changeset 11270


Ignore:
Timestamp:
12/05/2016 10:41:20 PM (5 years ago)
Author:
slaffik
Message:

Prevent possible warning in bp_legacy_theme_delete_activity_comment().

Firstly, check $_POST['id'] itself, only after that - for logged-in user status. Prevents warnings when the AJAX request is sent with wrong params, which doesn't allow to proceed and run additional code.

Props jonas-lundman.
Fixes #7324.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-templates/bp-legacy/buddypress-functions.php

    r11256 r11270  
    11041104    check_admin_referer( 'bp_activity_delete_link' );
    11051105
    1106     if ( ! is_user_logged_in() )
     1106    if ( empty( $_POST['id'] ) || ! is_numeric( $_POST['id'] ) ) {
    11071107        exit( '-1' );
     1108    }
     1109
     1110    if ( ! is_user_logged_in() ) {
     1111        exit( '-1' );
     1112    }
    11081113
    11091114    $comment = new BP_Activity_Activity( $_POST['id'] );
     
    11111116    // Check access.
    11121117    if ( ! bp_current_user_can( 'bp_moderate' ) && $comment->user_id != bp_loggedin_user_id() )
    1113         exit( '-1' );
    1114 
    1115     if ( empty( $_POST['id'] ) || ! is_numeric( $_POST['id'] ) )
    11161118        exit( '-1' );
    11171119
Note: See TracChangeset for help on using the changeset viewer.