Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
12/22/2016 08:27:12 PM (4 years ago)
Author:
djpaul
Message:

Avatars: improve robustness of crop process by confirming crop data.

For the 2.0 branch.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/bp-core/bp-core-avatars.php

    r8243 r11318  
    733733        return false;
    734734
    735     $original_file = bp_core_avatar_upload_path() . $original_file;
     735    if ( 'user' === $object ) {
     736        $avatar_dir = 'avatars';
     737    } else {
     738        $avatar_dir = sanitize_key( $args['object'] ) . '-avatars';
     739    }
     740
     741    $original_file = sprintf( '%s/%s/%s/%s', bp_core_avatar_upload_path(), $avatar_dir, $item_id, basename( $original_file ) );
    736742
    737743    if ( !file_exists( $original_file ) )
    738744        return false;
     745
     746    // Capability check.
     747    $has_cap = bp_current_user_can( 'bp_moderate' );
     748    if ( ! $has_cap ) {
     749        if ( 'user' === $object ) {
     750            $has_cap = bp_loggedin_user_id() === (int) $args['item_id'];
     751        } elseif ( 'group' === $object && bp_is_active( 'groups' ) ) {
     752            if ( bp_is_group_create() ) {
     753                $has_cap = (bool) groups_is_user_creator( bp_loggedin_user_id(), $args['item_id'] );
     754            } else {
     755                $has_cap = (bool) groups_is_user_admin( bp_loggedin_user_id(), $args['item_id'] );
     756            }
     757        }
     758    }
     759
     760    if ( ! $has_cap ) {
     761        return false;
     762    }
    739763
    740764    if ( empty( $item_id ) ) {
Note: See TracChangeset for help on using the changeset viewer.