Skip to:
Content

BuddyPress.org

Changeset 11889


Ignore:
Timestamp:
03/05/2018 01:03:06 PM (4 years ago)
Author:
boonebgorges
Message:

Templates: Die from AJAX friend operations when friend ID is invalid.

This prevents the adding of friendship objects attached to non-existent
users.

Props modemlooper.
Fixes #7683.

Location:
trunk/src/bp-templates
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-templates/bp-legacy/buddypress-functions.php

    r11877 r11889  
    13961396    $friend_id = (int) $_POST['fid'];
    13971397
     1398    $user = get_user_by( 'id', $friend_id );
     1399    if ( ! $user ) {
     1400        die( __( 'No member found by that ID.', 'buddypress' ) );
     1401    }
     1402
    13981403    // Trying to cancel friendship.
    13991404    if ( 'is_friend' == BP_Friends_Friendship::check_is_friend( bp_loggedin_user_id(), $friend_id ) ) {
  • trunk/src/bp-templates/bp-nouveau/includes/friends/ajax.php

    r11858 r11889  
    8989    $friend_id = (int) $_POST['item_id'];
    9090
     91    $user = get_user_by( 'id', $friend_id );
     92    if ( ! $user ) {
     93        wp_send_json_error(
     94            array(
     95                'feedback' => sprintf(
     96                    '<div class="bp-feedback error">%s</div>',
     97                    esc_html__( 'No member found by that ID.', 'buddypress' )
     98                ),
     99            )
     100        );
     101    }
     102
    91103    // In the 2 first cases the $friend_id is a friendship id.
    92104    if ( ! empty( $_POST['action'] ) && 'friends_accept_friendship' === $_POST['action'] ) {
Note: See TracChangeset for help on using the changeset viewer.