Context Navigation

← Previous Changeset
Next Changeset →

Changeset 11806

Timestamp:

01/10/2018 06:59:00 PM (7 years ago)

Author:

djpaul

Message:

Activity: add function to check if a user has access to a single activity.

This change extracts the existing logic from bp_activity_screen_single_activity_permalink() into a new function, allowing it to be used in multiple places, such as the REST API, or a WP-CLI extension.

Fixes #7048

Props espellcaste

Location:

trunk

Files:

: 3 edited

src/bp-activity/bp-activity-functions.php (modified) (1 diff)
src/bp-activity/bp-activity-screens.php (modified) (4 diffs)
tests/phpunit/testcases/activity/functions.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/bp-activity/bp-activity-functions.php

-                      r11793
+                      r11806
 /**
+ * Can a user see a particular activity item?
+ *
+ * @since 3.0.0
+ *
+ * @param  BP_Activity_Activity $activity Activity object.
+ * @param  integer              $user_id  User ID.
+ * @return boolean True on success, false on failure.
+ */
+function bp_activity_user_can_read( $activity, $user_id = 0 ) {
+    $retval = false;
+    // Fallback.
+    if ( empty( $user_id ) ) {
+        $user_id = bp_loggedin_user_id();
+    }
+    // Admins and moderators can see everything.
+    if ( bp_current_user_can( 'bp_moderate' ) ) {
+        $retval = true;
+    }
+    // If activity author match user, allow access as well.
+    if ( $user_id === $activity->user_id ) {
+        $retval = true;
+    }
+    // If activity is from a group, do an extra cap check.
+    if ( ! $retval && bp_is_active( 'groups' ) && $activity->component === buddypress()->groups->id ) {
+        // Check to see if the user has access to the activity's parent group.
+        $group = groups_get_group( $activity->item_id );
+        if ( $group ) {
+            $retval = $group->user_has_access;
+        }
+    }
+    /**
+     * Filters whether the current user has access to an activity item.
+     *
+     * @since 3.0.0
+     *
+     * @param bool                 $retval   Return value.
+     * @param int                  $user_id  Current user ID.
+     * @param BP_Activity_Activity $activity Activity object.
+     */
+    return apply_filters( 'bp_activity_user_can_read', $retval, $user_id, $activity );
+}
+/**
  * Hide a user's activity.
+ *

trunk/src/bp-activity/bp-activity-screens.php

-                      r11761
+                      r11806
  * @since 1.2.0
+ *
+ * @return bool|string Boolean on false or the template for a single activity item on success.
  */
 function bp_activity_screen_single_activity_permalink() {
-    $bp = buddypress();
     // No displayed user or not viewing activity component.
     if ( !bp_is_activity_component() )
+    if ( ! bp_is_activity_component() ) {
         return false;
+    if ( ! bp_current_action() || !is_numeric( bp_current_action() ) )
+    }
+    $action = bp_current_action();
+    if ( ! $action || ! is_numeric( $action ) ) {
         return false;
+    }
     // Get the activity details.
+    $activity = bp_activity_get_specific( array( 'activity_ids' => bp_current_action(), 'show_hidden' => true, 'spam' => 'ham_only', ) );
+    $activity = bp_activity_get_specific( array(
+        'activity_ids' => $action,
+        'show_hidden'  => true,
+        'spam'         => 'ham_only',
+    ) );
     // 404 if activity does not exist
 …
+    }
+    // Default access is true.
+    $has_access = true;
+    // If activity is from a group, do an extra cap check.
+    if ( isset( $bp->groups->id ) && $activity->component == $bp->groups->id ) {
+        // Activity is from a group, but groups is currently disabled.
+        if ( !bp_is_active( 'groups') ) {
+            bp_do_404();
+            return;
+        }
+        // Check to see if the user has access to to the activity's parent group.
+        if ( $group = groups_get_group( $activity->item_id ) ) {
+            $has_access = $group->user_has_access;
+        }
+    }
+    $user_id = bp_displayed_user_id();
+    /**
+     * Check user access to the activity item.
+     *
+     * @since 3.0.0
+     */
+    $has_access = bp_activity_user_can_read( $activity, $user_id );
     // If activity author does not match displayed user, block access.
+    if ( true === $has_access && bp_displayed_user_id() !== $activity->user_id ) {
+    // More info:https://buddypress.trac.wordpress.org/ticket/7048#comment:28
+    if ( true === $has_access && $user_id !== $activity->user_id ) {
         $has_access = false;
+    }
-    /**
-     * Filters the access permission for a single activity view.
+     *
-     * @since 1.2.0
+     *
-     * @param array $access Array holding the current $has_access value and current activity item instance.
-     */
-    $has_access = apply_filters_ref_array( 'bp_activity_permalink_access', array( $has_access, &$activity ) );
     /**
 …
             $url = sprintf(
                 wp_login_url( 'wp-login.php?redirect_to=%s' ),
                 esc_url_raw( bp_activity_get_permalink( bp_current_action() ) )
+                esc_url_raw( bp_activity_get_permalink( $action ) )
             );
+        }
 …
      * @param string $template Path to the activity template to load.
      */
+    bp_core_load_template( apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' ) );
+    $template = apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' );
+    // Load the template.
+    bp_core_load_template( $template );
+}
 add_action( 'bp_screens', 'bp_activity_screen_single_activity_permalink' );

trunk/tests/phpunit/testcases/activity/functions.php

-                      r11737
+                      r11806
+    }
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_user_can_access_their_own_activity() {
+        $u = self::factory()->user->create();
+        $a = self::factory()->activity->create( array(
+            'user_id' => $u,
+        ) );
+        $o = self::factory()->activity->get_object_by_id( $a );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+    }
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_user_cannot_access_someone_elses_activity() {
+        $u = self::factory()->user->create();
+        $u2 = self::factory()->user->create();
+        $a = self::factory()->activity->create( array(
+            'user_id' => $u2,
+        ) );
+        $o = self::factory()->activity->get_object_by_id( $a );
+        $this->assertFalse( bp_activity_user_can_read( $o, $u ) );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
+    }
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_admin_can_access_someone_elses_activity() {
+        $u = self::factory()->user->create();
+        $u2 = self::factory()->user->create( array( 'role' => 'administrator' ) );
+        $a = self::factory()->activity->create( array(
+            'user_id' => $u,
+        ) );
+        $o = self::factory()->activity->get_object_by_id( $a );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+        $this->set_current_user( $u2 );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
+    }
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_group_admin_access_someone_elses_activity_in_a_grou() {
+        $u  = self::factory()->user->create();
+        $u2 = self::factory()->user->create();
+        $g  = self::factory()->group->create();
+        $a = self::factory()->activity->create( array(
+            'component' => buddypress()->groups->id,
+            'user_id'   => $u,
+            'item_id'   => $g,
+        ) );
+        $o = self::factory()->activity->get_object_by_id( $a );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+        self::add_user_to_group( $u2, $g );
+        $m1 = new BP_Groups_Member( $u2, $g );
+        $m1->promote( 'admin' );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
+    }
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_non_member_can_access_to_someone_elses_activity_in_a_group() {
+        $u  = self::factory()->user->create();
+        $u2 = self::factory()->user->create();
+        $g  = self::factory()->group->create();
+        self::add_user_to_group( $u, $g );
+        $a = self::factory()->activity->create( array(
+            'component' => buddypress()->groups->id,
+            'user_id'   => $u,
+            'item_id'   => $g,
+        ) );
+        $o = self::factory()->activity->get_object_by_id( $a );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
+    }
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_user_access_to_his_activity_in_disabled_group() {
+        $u  = self::factory()->user->create();
+        $g  = self::factory()->group->create();
+        self::add_user_to_group( $u, $g );
+        $a = self::factory()->activity->create( array(
+            'component' => buddypress()->groups->id,
+            'user_id'   => $u,
+            'item_id'   => $g,
+        ) );
+        $o = self::factory()->activity->get_object_by_id( $a );
+        groups_edit_group_settings( $g, 0, 'hidden' );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+        groups_edit_group_settings( $g, 0, 'private' );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+    }
     public function check_activity_caches() {
         foreach ( $this->acaches as $k => $v ) {

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

BuddyPress.org