Skip to:
Content

BuddyPress.org

Changeset 11881


Ignore:
Timestamp:
03/04/2018 09:13:24 PM (7 years ago)
Author:
r-a-y
Message:

Activity: After r11806, fix read access checks to private activity items.

Previously, after r11806, anyone could access private activity items.

The problem is passing the displayed user ID instead of the current user
ID in bp_activity_user_can_read().

Commit also fixes an issue with the login URL redirect for logged-out users.

Fixes #7048.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-activity/bp-activity-screens.php

    r11806 r11881  
    225225    }
    226226
    227     $user_id = bp_displayed_user_id();
    228 
    229227    /**
    230228     * Check user access to the activity item.
     
    232230     * @since 3.0.0
    233231     */
    234     $has_access = bp_activity_user_can_read( $activity, $user_id );
     232    $has_access = bp_activity_user_can_read( $activity );
    235233
    236234    // If activity author does not match displayed user, block access.
    237235    // More info:https://buddypress.trac.wordpress.org/ticket/7048#comment:28
    238     if ( true === $has_access && $user_id !== $activity->user_id ) {
     236    if ( true === $has_access && bp_displayed_user_id() !== $activity->user_id ) {
    239237        $has_access = false;
    240238    }
     
    252250    // Access is specifically disallowed.
    253251    if ( false === $has_access ) {
    254 
    255         // User feedback.
    256         bp_core_add_message( __( 'You do not have access to this activity.', 'buddypress' ), 'error' );
    257 
    258         // Redirect based on logged in status.
    259         if ( is_user_logged_in() ) {
    260             $url = bp_loggedin_user_domain();
    261 
     252        // If not logged in, prompt for login.
     253        if ( ! is_user_logged_in() ) {
     254            bp_core_no_access();
     255
     256        // Redirect away.
    262257        } else {
    263             $url = sprintf(
    264                 wp_login_url( 'wp-login.php?redirect_to=%s' ),
    265                 esc_url_raw( bp_activity_get_permalink( $action ) )
    266             );
     258            bp_core_add_message( __( 'You do not have access to this activity.', 'buddypress' ), 'error' );
     259            bp_core_redirect( bp_loggedin_user_domain() );
    267260        }
    268 
    269         bp_core_redirect( $url );
    270261    }
    271262
Note: See TracChangeset for help on using the changeset viewer.