Changeset 12365 for trunk/src/bp-templates/bp-nouveau/includes/activity/ajax.php

Timestamp:

04/25/2019 02:12:34 PM (6 years ago)

Author:

boonebgorges

Message:

Activity: Ensure items can only be favorited by those with read access.

File:

• trunk/src/bp-templates/bp-nouveau/includes/activity/ajax.php (modified) (1 diff)

trunk/src/bp-templates/bp-nouveau/includes/activity/ajax.php

@@ -99 +99 @@
     // Nonce check!
     if ( empty( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'bp_nouveau_activity' ) ) {
+        wp_send_json_error();
+    }
+
+    $activity_id   = (int) $_POST['id'];
+    $activity_item = new BP_Activity_Activity( $activity_id );
+    if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
         wp_send_json_error();
     }