Skip to:
Content

BuddyPress.org

Changeset 11806


Ignore:
Timestamp:
01/10/2018 06:59:00 PM (2 years ago)
Author:
djpaul
Message:

Activity: add function to check if a user has access to a single activity.

This change extracts the existing logic from bp_activity_screen_single_activity_permalink() into a new function, allowing it to be used in multiple places, such as the REST API, or a WP-CLI extension.

Fixes #7048

Props espellcaste

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-activity/bp-activity-functions.php

    r11793 r11806  
    30823082
    30833083/**
     3084 * Can a user see a particular activity item?
     3085 *
     3086 * @since 3.0.0
     3087 *
     3088 * @param  BP_Activity_Activity $activity Activity object.
     3089 * @param  integer              $user_id  User ID.
     3090 * @return boolean True on success, false on failure.
     3091 */
     3092function bp_activity_user_can_read( $activity, $user_id = 0 ) {
     3093    $retval = false;
     3094
     3095    // Fallback.
     3096    if ( empty( $user_id ) ) {
     3097        $user_id = bp_loggedin_user_id();
     3098    }
     3099
     3100    // Admins and moderators can see everything.
     3101    if ( bp_current_user_can( 'bp_moderate' ) ) {
     3102        $retval = true;
     3103    }
     3104
     3105    // If activity author match user, allow access as well.
     3106    if ( $user_id === $activity->user_id ) {
     3107        $retval = true;
     3108    }
     3109
     3110    // If activity is from a group, do an extra cap check.
     3111    if ( ! $retval && bp_is_active( 'groups' ) && $activity->component === buddypress()->groups->id ) {
     3112
     3113        // Check to see if the user has access to the activity's parent group.
     3114        $group = groups_get_group( $activity->item_id );
     3115        if ( $group ) {
     3116            $retval = $group->user_has_access;
     3117        }
     3118    }
     3119
     3120    /**
     3121     * Filters whether the current user has access to an activity item.
     3122     *
     3123     * @since 3.0.0
     3124     *
     3125     * @param bool                 $retval   Return value.
     3126     * @param int                  $user_id  Current user ID.
     3127     * @param BP_Activity_Activity $activity Activity object.
     3128     */
     3129    return apply_filters( 'bp_activity_user_can_read', $retval, $user_id, $activity );
     3130}
     3131
     3132/**
    30843133 * Hide a user's activity.
    30853134 *
  • trunk/src/bp-activity/bp-activity-screens.php

    r11761 r11806  
    196196 * @since 1.2.0
    197197 *
     198 * @return bool|string Boolean on false or the template for a single activity item on success.
    198199 */
    199200function bp_activity_screen_single_activity_permalink() {
    200     $bp = buddypress();
    201 
    202201    // No displayed user or not viewing activity component.
    203     if ( !bp_is_activity_component() )
     202    if ( ! bp_is_activity_component() ) {
    204203        return false;
    205 
    206     if ( ! bp_current_action() || !is_numeric( bp_current_action() ) )
     204    }
     205
     206    $action = bp_current_action();
     207    if ( ! $action || ! is_numeric( $action ) ) {
    207208        return false;
     209    }
    208210
    209211    // Get the activity details.
    210     $activity = bp_activity_get_specific( array( 'activity_ids' => bp_current_action(), 'show_hidden' => true, 'spam' => 'ham_only', ) );
     212    $activity = bp_activity_get_specific( array(
     213        'activity_ids' => $action,
     214        'show_hidden'  => true,
     215        'spam'         => 'ham_only',
     216    ) );
    211217
    212218    // 404 if activity does not exist
     
    219225    }
    220226
    221     // Default access is true.
    222     $has_access = true;
    223 
    224     // If activity is from a group, do an extra cap check.
    225     if ( isset( $bp->groups->id ) && $activity->component == $bp->groups->id ) {
    226 
    227         // Activity is from a group, but groups is currently disabled.
    228         if ( !bp_is_active( 'groups') ) {
    229             bp_do_404();
    230             return;
    231         }
    232 
    233         // Check to see if the user has access to to the activity's parent group.
    234         if ( $group = groups_get_group( $activity->item_id ) ) {
    235             $has_access = $group->user_has_access;
    236         }
    237     }
     227    $user_id = bp_displayed_user_id();
     228
     229    /**
     230     * Check user access to the activity item.
     231     *
     232     * @since 3.0.0
     233     */
     234    $has_access = bp_activity_user_can_read( $activity, $user_id );
    238235
    239236    // If activity author does not match displayed user, block access.
    240     if ( true === $has_access && bp_displayed_user_id() !== $activity->user_id ) {
     237    // More info:https://buddypress.trac.wordpress.org/ticket/7048#comment:28
     238    if ( true === $has_access && $user_id !== $activity->user_id ) {
    241239        $has_access = false;
    242240    }
    243 
    244     /**
    245      * Filters the access permission for a single activity view.
    246      *
    247      * @since 1.2.0
    248      *
    249      * @param array $access Array holding the current $has_access value and current activity item instance.
    250      */
    251     $has_access = apply_filters_ref_array( 'bp_activity_permalink_access', array( $has_access, &$activity ) );
    252241
    253242    /**
     
    274263            $url = sprintf(
    275264                wp_login_url( 'wp-login.php?redirect_to=%s' ),
    276                 esc_url_raw( bp_activity_get_permalink( bp_current_action() ) )
     265                esc_url_raw( bp_activity_get_permalink( $action ) )
    277266            );
    278267        }
     
    288277     * @param string $template Path to the activity template to load.
    289278     */
    290     bp_core_load_template( apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' ) );
     279    $template = apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' );
     280
     281    // Load the template.
     282    bp_core_load_template( $template );
    291283}
    292284add_action( 'bp_screens', 'bp_activity_screen_single_activity_permalink' );
  • trunk/tests/phpunit/testcases/activity/functions.php

    r11737 r11806  
    14761476    }
    14771477
     1478    /**
     1479     * @group bp_activity_user_can_read
     1480     */
     1481    public function test_user_can_access_their_own_activity() {
     1482        $u = self::factory()->user->create();
     1483
     1484        $a = self::factory()->activity->create( array(
     1485            'user_id' => $u,
     1486        ) );
     1487
     1488        $o = self::factory()->activity->get_object_by_id( $a );
     1489
     1490        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
     1491    }
     1492
     1493    /**
     1494     * @group bp_activity_user_can_read
     1495     */
     1496    public function test_user_cannot_access_someone_elses_activity() {
     1497        $u = self::factory()->user->create();
     1498        $u2 = self::factory()->user->create();
     1499
     1500        $a = self::factory()->activity->create( array(
     1501            'user_id' => $u2,
     1502        ) );
     1503
     1504        $o = self::factory()->activity->get_object_by_id( $a );
     1505
     1506        $this->assertFalse( bp_activity_user_can_read( $o, $u ) );
     1507        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
     1508    }
     1509
     1510    /**
     1511     * @group bp_activity_user_can_read
     1512     */
     1513    public function test_admin_can_access_someone_elses_activity() {
     1514        $u = self::factory()->user->create();
     1515        $u2 = self::factory()->user->create( array( 'role' => 'administrator' ) );
     1516
     1517        $a = self::factory()->activity->create( array(
     1518            'user_id' => $u,
     1519        ) );
     1520
     1521        $o = self::factory()->activity->get_object_by_id( $a );
     1522
     1523        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
     1524
     1525        $this->set_current_user( $u2 );
     1526        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
     1527    }
     1528
     1529    /**
     1530     * @group bp_activity_user_can_read
     1531     */
     1532    public function test_group_admin_access_someone_elses_activity_in_a_grou() {
     1533        $u  = self::factory()->user->create();
     1534        $u2 = self::factory()->user->create();
     1535
     1536        $g  = self::factory()->group->create();
     1537
     1538        $a = self::factory()->activity->create( array(
     1539            'component' => buddypress()->groups->id,
     1540            'user_id'   => $u,
     1541            'item_id'   => $g,
     1542        ) );
     1543
     1544        $o = self::factory()->activity->get_object_by_id( $a );
     1545
     1546        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
     1547
     1548        self::add_user_to_group( $u2, $g );
     1549
     1550        $m1 = new BP_Groups_Member( $u2, $g );
     1551        $m1->promote( 'admin' );
     1552
     1553        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
     1554    }
     1555
     1556    /**
     1557     * @group bp_activity_user_can_read
     1558     */
     1559    public function test_non_member_can_access_to_someone_elses_activity_in_a_group() {
     1560        $u  = self::factory()->user->create();
     1561        $u2 = self::factory()->user->create();
     1562
     1563        $g  = self::factory()->group->create();
     1564
     1565        self::add_user_to_group( $u, $g );
     1566
     1567        $a = self::factory()->activity->create( array(
     1568            'component' => buddypress()->groups->id,
     1569            'user_id'   => $u,
     1570            'item_id'   => $g,
     1571        ) );
     1572
     1573        $o = self::factory()->activity->get_object_by_id( $a );
     1574
     1575        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
     1576        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
     1577    }
     1578
     1579    /**
     1580     * @group bp_activity_user_can_read
     1581     */
     1582    public function test_user_access_to_his_activity_in_disabled_group() {
     1583        $u  = self::factory()->user->create();
     1584        $g  = self::factory()->group->create();
     1585
     1586        self::add_user_to_group( $u, $g );
     1587
     1588        $a = self::factory()->activity->create( array(
     1589            'component' => buddypress()->groups->id,
     1590            'user_id'   => $u,
     1591            'item_id'   => $g,
     1592        ) );
     1593
     1594        $o = self::factory()->activity->get_object_by_id( $a );
     1595
     1596        groups_edit_group_settings( $g, 0, 'hidden' );
     1597
     1598        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
     1599
     1600        groups_edit_group_settings( $g, 0, 'private' );
     1601
     1602        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
     1603    }
     1604
    14781605    public function check_activity_caches() {
    14791606        foreach ( $this->acaches as $k => $v ) {
Note: See TracChangeset for help on using the changeset viewer.