Changeset 11889 for trunk/src/bp-templates/bp-nouveau/includes/friends/ajax.php

Timestamp:

03/05/2018 01:03:06 PM (6 years ago)

Author:

boonebgorges

Message:

Templates: Die from AJAX friend operations when friend ID is invalid.

This prevents the adding of friendship objects attached to non-existent
users.

Props modemlooper.
Fixes #7683.

File:

• trunk/src/bp-templates/bp-nouveau/includes/friends/ajax.php (modified) (1 diff)

trunk/src/bp-templates/bp-nouveau/includes/friends/ajax.php

@@ -89 +89 @@
     $friend_id = (int) $_POST['item_id'];
 
+    $user = get_user_by( 'id', $friend_id );
+    if ( ! $user ) {
+        wp_send_json_error(
+            array(
+                'feedback' => sprintf(
+                    '<div class="bp-feedback error">%s</div>',
+                    esc_html__( 'No member found by that ID.', 'buddypress' )
+                ),
+            )
+        );
+    }
+
     // In the 2 first cases the $friend_id is a friendship id.
     if ( ! empty( $_POST['action'] ) && 'friends_accept_friendship' === $_POST['action'] ) {