Changeset 12155
- Timestamp:
- 06/03/2018 10:38:20 AM (7 years ago)
- Location:
- branches/3.0
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/3.0/src/bp-activity/bp-activity-functions.php
r11883 r12155 3108 3108 */ 3109 3109 function bp_activity_user_can_read( $activity, $user_id = 0 ) { 3110 $retval = false;3110 $retval = true; 3111 3111 3112 3112 // Fallback. … … 3115 3115 } 3116 3116 3117 // Admins and moderators can see everything. 3118 if ( bp_current_user_can( 'bp_moderate' ) ) { 3119 $retval = true; 3120 } 3121 3122 // If activity author match user, allow access as well. 3123 if ( $user_id === $activity->user_id ) { 3124 $retval = true; 3125 } 3126 3127 // If activity is from a group, do an extra cap check. 3128 if ( ! $retval && bp_is_active( 'groups' ) && $activity->component === buddypress()->groups->id ) { 3129 3117 // If activity is from a group, do extra cap checks. 3118 if ( bp_is_active( 'groups' ) && buddypress()->groups->id === $activity->component ) { 3130 3119 // Check to see if the user has access to the activity's parent group. 3131 3120 $group = groups_get_group( $activity->item_id ); 3132 3121 if ( $group ) { 3133 $retval = $group->user_has_access; 3134 } 3122 // For logged-in user, we can check against the 'user_has_access' prop. 3123 if ( bp_loggedin_user_id() === $user_id ) { 3124 $retval = $group->user_has_access; 3125 3126 // Manually check status. 3127 } elseif ( 'private' === $group->status || 'hidden' === $group->status ) { 3128 // Only group members that are not banned can view. 3129 if ( ! groups_is_user_member( $user_id, $activity->item_id ) || groups_is_user_banned( $user_id, $activity->item_id ) ) { 3130 $retval = false; 3131 } 3132 } 3133 } 3134 } 3135 3136 // Spammed items are not visible to the public. 3137 if ( $activity->is_spam ) { 3138 $retval = false; 3139 } 3140 3141 // Site moderators can view anything. 3142 if ( bp_current_user_can( 'bp_moderate' ) ) { 3143 $retval = true; 3135 3144 } 3136 3145 -
branches/3.0/tests/phpunit/testcases/activity/functions.php
r11806 r12155 1494 1494 * @group bp_activity_user_can_read 1495 1495 */ 1496 public function test_user_cannot_access_someone_elses_activity() {1497 $u = self::factory()->user->create();1498 $u2 = self::factory()->user->create();1499 1500 $a = self::factory()->activity->create( array(1501 'user_id' => $u2,1502 ) );1503 1504 $o = self::factory()->activity->get_object_by_id( $a );1505 1506 $this->assertFalse( bp_activity_user_can_read( $o, $u ) );1507 $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );1508 }1509 1510 /**1511 * @group bp_activity_user_can_read1512 */1513 1496 public function test_admin_can_access_someone_elses_activity() { 1514 1497 $u = self::factory()->user->create(); … … 1530 1513 * @group bp_activity_user_can_read 1531 1514 */ 1532 public function test_group_admin_access_someone_elses_activity_in_a_grou() { 1515 public function test_user_cannot_access_spam_activity() { 1516 $u = self::factory()->user->create(); 1517 $u2 = self::factory()->user->create(); 1518 1519 $a = self::factory()->activity->create( array( 1520 'user_id' => $u, 1521 ) ); 1522 1523 $o = self::factory()->activity->get_object_by_id( $a ); 1524 1525 bp_activity_mark_as_spam( $o ); 1526 1527 $this->assertFalse( bp_activity_user_can_read( $o, $u ) ); 1528 $this->assertFalse( bp_activity_user_can_read( $o, $u2 ) ); 1529 } 1530 1531 /** 1532 * @group bp_activity_user_can_read 1533 */ 1534 public function test_admin_can_access_spam_activity() { 1535 $u = self::factory()->user->create(); 1536 $u2 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 1537 1538 $a = self::factory()->activity->create( array( 1539 'user_id' => $u, 1540 ) ); 1541 1542 $o = self::factory()->activity->get_object_by_id( $a ); 1543 1544 bp_activity_mark_as_spam( $o ); 1545 1546 $this->set_current_user( $u2 ); 1547 $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) ); 1548 } 1549 1550 /** 1551 * @group bp_activity_user_can_read 1552 */ 1553 public function test_group_admin_access_someone_elses_activity_in_a_group() { 1533 1554 $u = self::factory()->user->create(); 1534 1555 $u2 = self::factory()->user->create(); … … 1580 1601 * @group bp_activity_user_can_read 1581 1602 */ 1582 public function test_user_access_to_his_activity_in_ disabled_group() {1603 public function test_user_access_to_his_activity_in_hidden_group() { 1583 1604 $u = self::factory()->user->create(); 1584 $g = self::factory()->group->create(); 1605 $g = self::factory()->group->create( array( 1606 'status' => 'hidden', 1607 ) ); 1585 1608 1586 1609 self::add_user_to_group( $u, $g ); … … 1594 1617 $o = self::factory()->activity->get_object_by_id( $a ); 1595 1618 1596 groups_edit_group_settings( $g, 0, 'hidden' );1597 1598 1619 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1599 1600 groups_edit_group_settings( $g, 0, 'private' ); 1620 } 1621 1622 /** 1623 * @group bp_activity_user_can_read 1624 */ 1625 public function test_user_access_to_his_activity_in_private_group() { 1626 $u = self::factory()->user->create(); 1627 $g = self::factory()->group->create( array( 1628 'status' => 'private', 1629 ) ); 1630 1631 self::add_user_to_group( $u, $g ); 1632 1633 $a = self::factory()->activity->create( array( 1634 'component' => buddypress()->groups->id, 1635 'user_id' => $u, 1636 'item_id' => $g, 1637 ) ); 1638 1639 $o = self::factory()->activity->get_object_by_id( $a ); 1601 1640 1602 1641 $this->assertTrue( bp_activity_user_can_read( $o, $u ) ); 1642 } 1643 1644 /** 1645 * @group bp_activity_user_can_read 1646 */ 1647 public function test_banned_user_cannot_access_to_his_activity_in_a_private_group() { 1648 $u = self::factory()->user->create(); 1649 $g = self::factory()->group->create( array( 1650 'status' => 'private', 1651 ) ); 1652 1653 self::add_user_to_group( $u, $g ); 1654 1655 $a = self::factory()->activity->create( array( 1656 'component' => buddypress()->groups->id, 1657 'user_id' => $u, 1658 'item_id' => $g, 1659 ) ); 1660 1661 buddypress()->is_item_admin = true; 1662 groups_ban_member( $u, $g ); 1663 1664 $o = self::factory()->activity->get_object_by_id( $a ); 1665 1666 $this->assertFalse( bp_activity_user_can_read( $o, $u ) ); 1667 } 1668 1669 /** 1670 * @group bp_activity_user_can_read 1671 */ 1672 public function test_removed_member_cannot_access_to_his_activity_in_a_private_group() { 1673 $u = self::factory()->user->create(); 1674 $g = self::factory()->group->create( array( 1675 'status' => 'private', 1676 ) ); 1677 1678 self::add_user_to_group( $u, $g ); 1679 1680 $a = self::factory()->activity->create( array( 1681 'component' => buddypress()->groups->id, 1682 'user_id' => $u, 1683 'item_id' => $g, 1684 ) ); 1685 1686 buddypress()->is_item_admin = true; 1687 groups_remove_member( $u, $g ); 1688 1689 $o = self::factory()->activity->get_object_by_id( $a ); 1690 1691 $this->assertFalse( bp_activity_user_can_read( $o, $u ) ); 1603 1692 } 1604 1693
Note: See TracChangeset
for help on using the changeset viewer.