Changeset 12154

Timestamp:

06/03/2018 10:36:32 AM (6 years ago)

Author:

djpaul

Message:

Activity: fix activity permalinks for unauthenticated users.

This change also re-adds the block on accessing spammed activity items.

Fixes #7843

Props r-a-y, espellcaste

Location:

trunk

Files:

• src/bp-activity/bp-activity-functions.php (modified) (2 diffs)
• tests/phpunit/testcases/activity/functions.php (modified) (4 diffs)

trunk/src/bp-activity/bp-activity-functions.php

@@ -3108 +3108 @@
  */
 function bp_activity_user_can_read( $activity, $user_id = 0 ) {
-    $retval = false;
+    $retval = true;
 
     // Fallback.
@@ -3115 +3115 @@
     }
 
-    // Admins and moderators can see everything.
-    if ( bp_current_user_can( 'bp_moderate' ) ) {
-        $retval = true;
-    }
-
-    // If activity author match user, allow access as well.
-    if ( $user_id === $activity->user_id ) {
-        $retval = true;
-    }
-
-    // If activity is from a group, do an extra cap check.
-    if ( ! $retval && bp_is_active( 'groups' ) && $activity->component === buddypress()->groups->id ) {
-
+    // If activity is from a group, do extra cap checks.
+    if ( bp_is_active( 'groups' ) && buddypress()->groups->id === $activity->component ) {
         // Check to see if the user has access to the activity's parent group.
         $group = groups_get_group( $activity->item_id );
         if ( $group ) {
-            $retval = $group->user_has_access;
-        }
+            // For logged-in user, we can check against the 'user_has_access' prop.
+            if ( bp_loggedin_user_id() === $user_id ) {
+                $retval = $group->user_has_access;
+
+            // Manually check status.
+            } elseif ( 'private' === $group->status || 'hidden' === $group->status ) {
+                // Only group members that are not banned can view.
+                if ( ! groups_is_user_member( $user_id, $activity->item_id ) || groups_is_user_banned( $user_id, $activity->item_id ) ) {
+                    $retval = false;
+                }
+            }
+        }
+    }
+
+    // Spammed items are not visible to the public.
+    if ( $activity->is_spam ) {
+        $retval = false;
+    }
+
+    // Site moderators can view anything.
+    if ( bp_current_user_can( 'bp_moderate' ) ) {
+        $retval = true;
     }
 

trunk/tests/phpunit/testcases/activity/functions.php

@@ -1494 +1494 @@
      * @group bp_activity_user_can_read
      */
-    public function test_user_cannot_access_someone_elses_activity() {
-        $u = self::factory()->user->create();
-        $u2 = self::factory()->user->create();
-
-        $a = self::factory()->activity->create( array(
-            'user_id' => $u2,
-        ) );
-
-        $o = self::factory()->activity->get_object_by_id( $a );
-
-        $this->assertFalse( bp_activity_user_can_read( $o, $u ) );
-        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
-    }
-
-    /**
-     * @group bp_activity_user_can_read
-     */
     public function test_admin_can_access_someone_elses_activity() {
         $u = self::factory()->user->create();
@@ -1530 +1513 @@
      * @group bp_activity_user_can_read
      */
-    public function test_group_admin_access_someone_elses_activity_in_a_grou() {
+    public function test_user_cannot_access_spam_activity() {
+        $u = self::factory()->user->create();
+        $u2 = self::factory()->user->create();
+
+        $a = self::factory()->activity->create( array(
+            'user_id' => $u,
+        ) );
+
+        $o = self::factory()->activity->get_object_by_id( $a );
+
+        bp_activity_mark_as_spam( $o );
+
+        $this->assertFalse( bp_activity_user_can_read( $o, $u ) );
+        $this->assertFalse( bp_activity_user_can_read( $o, $u2 ) );
+    }
+
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_admin_can_access_spam_activity() {
+        $u = self::factory()->user->create();
+        $u2 = self::factory()->user->create( array( 'role' => 'administrator' ) );
+
+        $a = self::factory()->activity->create( array(
+            'user_id' => $u,
+        ) );
+
+        $o = self::factory()->activity->get_object_by_id( $a );
+
+        bp_activity_mark_as_spam( $o );
+
+        $this->set_current_user( $u2 );
+        $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
+    }
+
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_group_admin_access_someone_elses_activity_in_a_group() {
         $u  = self::factory()->user->create();
         $u2 = self::factory()->user->create();
@@ -1580 +1601 @@
      * @group bp_activity_user_can_read
      */
-    public function test_user_access_to_his_activity_in_disabled_group() {
+    public function test_user_access_to_his_activity_in_hidden_group() {
         $u  = self::factory()->user->create();
-        $g  = self::factory()->group->create();
+        $g  = self::factory()->group->create( array(
+            'status' => 'hidden',
+        ) );
 
         self::add_user_to_group( $u, $g );
@@ -1594 +1617 @@
         $o = self::factory()->activity->get_object_by_id( $a );
 
-        groups_edit_group_settings( $g, 0, 'hidden' );
-
         $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
-
-        groups_edit_group_settings( $g, 0, 'private' );
+    }
+
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_user_access_to_his_activity_in_private_group() {
+        $u  = self::factory()->user->create();
+        $g  = self::factory()->group->create( array(
+            'status' => 'private',
+        ) );
+
+        self::add_user_to_group( $u, $g );
+
+        $a = self::factory()->activity->create( array(
+            'component' => buddypress()->groups->id,
+            'user_id'   => $u,
+            'item_id'   => $g,
+        ) );
+
+        $o = self::factory()->activity->get_object_by_id( $a );
 
         $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+    }
+
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_banned_user_cannot_access_to_his_activity_in_a_private_group() {
+        $u  = self::factory()->user->create();
+        $g  = self::factory()->group->create( array(
+            'status' => 'private',
+        ) );
+
+        self::add_user_to_group( $u, $g );
+
+        $a = self::factory()->activity->create( array(
+            'component' => buddypress()->groups->id,
+            'user_id'   => $u,
+            'item_id'   => $g,
+        ) );
+
+        buddypress()->is_item_admin = true;
+        groups_ban_member( $u, $g );
+
+        $o = self::factory()->activity->get_object_by_id( $a );
+
+        $this->assertFalse( bp_activity_user_can_read( $o, $u ) );
+    }
+
+    /**
+     * @group bp_activity_user_can_read
+     */
+    public function test_removed_member_cannot_access_to_his_activity_in_a_private_group() {
+        $u  = self::factory()->user->create();
+        $g  = self::factory()->group->create( array(
+            'status' => 'private',
+        ) );
+
+        self::add_user_to_group( $u, $g );
+
+        $a = self::factory()->activity->create( array(
+            'component' => buddypress()->groups->id,
+            'user_id'   => $u,
+            'item_id'   => $g,
+        ) );
+
+        buddypress()->is_item_admin = true;
+        groups_remove_member( $u, $g );
+
+        $o = self::factory()->activity->get_object_by_id( $a );
+
+        $this->assertFalse( bp_activity_user_can_read( $o, $u ) );
     }