Changeset 12385 for trunk/src/bp-templates/bp-nouveau/includes/groups/ajax.php

Timestamp:

04/25/2019 02:55:53 PM (6 years ago)

Author:

boonebgorges

Message:

Nouveau: Improved capability check when deleting pending invites.

File:

• trunk/src/bp-templates/bp-nouveau/includes/groups/ajax.php (modified) (1 diff)

trunk/src/bp-templates/bp-nouveau/includes/groups/ajax.php

@@ -449 +449 @@
     $group_id = bp_get_current_group_id();
 
+    $response = array(
+        'feedback' => __( 'Group invitation could not be removed.', 'buddypress' ),
+        'type'     => 'error',
+    );
+
     // Verify nonce
     if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'groups_invite_uninvite_user' ) ) {
-        wp_send_json_error(
-            array(
-                'feedback' => __( 'Group invitation could not be removed.', 'buddypress' ),
-                'type'     => 'error',
-            )
-        );
+        wp_send_json_error( $response );
+    }
+
+    // Verify pending invite.
+    $invites_args = array(
+        'is_confirmed' => false,
+        'is_banned'    => null,
+        'is_admin'     => null,
+        'is_mod'       => null,
+    );
+    $invites = bp_get_user_groups( $user_id, $invites_args );
+    if ( empty( $invites ) ) {
+        wp_send_json_error( $response );
+    }
+
+    if ( ! groups_is_user_admin( bp_loggedin_user_id(), $group_id ) ) {
+        wp_send_json_error( $response );
     }