Changeset 11319

Timestamp:

12/22/2016 08:27:56 PM (9 years ago)

Author:

djpaul

Message:

Avatars: improve robustness of crop process by confirming crop data.

For the 2.1 branch.

File:

• branches/2.1/src/bp-core/bp-core-avatars.php (modified) (1 diff)

branches/2.1/src/bp-core/bp-core-avatars.php

@@ -742 +742 @@
         return false;
 
-    $original_file = bp_core_avatar_upload_path() . $original_file;
+    if ( 'user' === $object ) {
+        $avatar_dir = 'avatars';
+    } else {
+        $avatar_dir = sanitize_key( $args['object'] ) . '-avatars';
+    }
+
+    $original_file = sprintf( '%s/%s/%s/%s', bp_core_avatar_upload_path(), $avatar_dir, $item_id, basename( $original_file ) );
 
     if ( !file_exists( $original_file ) )
         return false;
+
+    // Capability check.
+    $has_cap = bp_current_user_can( 'bp_moderate' );
+    if ( ! $has_cap ) {
+        if ( 'user' === $object ) {
+            $has_cap = bp_loggedin_user_id() === (int) $args['item_id'];
+        } elseif ( 'group' === $object && bp_is_active( 'groups' ) ) {
+            if ( bp_is_group_create() ) {
+                $has_cap = (bool) groups_is_user_creator( bp_loggedin_user_id(), $args['item_id'] );
+            } else {
+                $has_cap = (bool) groups_is_user_admin( bp_loggedin_user_id(), $args['item_id'] );
+            }
+        }
+    }
+
+    if ( ! $has_cap ) {
+        return false;
+    }
 
     if ( empty( $item_id ) ) {