Skip to:
Content

BuddyPress.org

Changeset 11319


Ignore:
Timestamp:
12/22/2016 08:27:56 PM (4 years ago)
Author:
djpaul
Message:

Avatars: improve robustness of crop process by confirming crop data.

For the 2.1 branch.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.1/src/bp-core/bp-core-avatars.php

    r8677 r11319  
    742742        return false;
    743743
    744     $original_file = bp_core_avatar_upload_path() . $original_file;
     744    if ( 'user' === $object ) {
     745        $avatar_dir = 'avatars';
     746    } else {
     747        $avatar_dir = sanitize_key( $args['object'] ) . '-avatars';
     748    }
     749
     750    $original_file = sprintf( '%s/%s/%s/%s', bp_core_avatar_upload_path(), $avatar_dir, $item_id, basename( $original_file ) );
    745751
    746752    if ( !file_exists( $original_file ) )
    747753        return false;
     754
     755    // Capability check.
     756    $has_cap = bp_current_user_can( 'bp_moderate' );
     757    if ( ! $has_cap ) {
     758        if ( 'user' === $object ) {
     759            $has_cap = bp_loggedin_user_id() === (int) $args['item_id'];
     760        } elseif ( 'group' === $object && bp_is_active( 'groups' ) ) {
     761            if ( bp_is_group_create() ) {
     762                $has_cap = (bool) groups_is_user_creator( bp_loggedin_user_id(), $args['item_id'] );
     763            } else {
     764                $has_cap = (bool) groups_is_user_admin( bp_loggedin_user_id(), $args['item_id'] );
     765            }
     766        }
     767    }
     768
     769    if ( ! $has_cap ) {
     770        return false;
     771    }
    748772
    749773    if ( empty( $item_id ) ) {
Note: See TracChangeset for help on using the changeset viewer.