Skip to:
Content

BuddyPress.org

Changeset 12501


Ignore:
Timestamp:
12/04/2019 01:07:27 PM (5 years ago)
Author:
dcavins
Message:

Nouveau: Fix group uninivite AJAX handler logic.

Ensure that site admins, group admins and the original inviter can all delete a pending invitation.

Fixes #8167.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-templates/bp-nouveau/includes/groups/ajax.php

    r12434 r12501  
    471471    }
    472472
    473     // Verify pending invite.
    474     $invites_args = array(
    475         'is_confirmed' => false,
    476         'is_banned'    => null,
    477         'is_admin'     => null,
    478         'is_mod'       => null,
    479     );
    480     $invites = bp_get_user_groups( $user_id, $invites_args );
    481     if ( empty( $invites ) ) {
    482         wp_send_json_error( $response );
    483     }
    484 
    485     if ( ! groups_is_user_admin( bp_loggedin_user_id(), $group_id ) ) {
    486         wp_send_json_error( $response );
    487     }
    488 
    489     if ( BP_Groups_Member::check_for_membership_request( $user_id, $group_id ) ) {
     473    // Verify that a sent invite exists.
     474    $inviter_ids = groups_get_invites( array(
     475        'user_id'     => $user_id,
     476        'item_id'     => $group_id,
     477        'invite_sent' => 'sent',
     478        'fields'      => 'inviter_ids'
     479    ) );
     480
     481    if ( empty( $inviter_ids ) ) {
     482        wp_send_json_error( $response );
     483    }
     484
     485    // Is the current user the inviter?
     486    $inviter_id = in_array( bp_loggedin_user_id(), $inviter_ids, true ) ? bp_loggedin_user_id() : false;
     487
     488    // A site moderator, group admin or the inviting user should be able to remove an invitation.
     489    if ( ! bp_is_item_admin() && ! $inviter_id ) {
     490        wp_send_json_error( $response );
     491    }
     492
     493    if ( groups_is_user_member( $user_id, $group_id ) ) {
    490494        wp_send_json_error(
    491495            array(
     
    497501    }
    498502
    499     // Remove the unsent invitation.
    500     if ( ! groups_uninvite_user( $user_id, $group_id ) ) {
     503    // Remove the invitation.
     504    if ( ! groups_uninvite_user( $user_id, $group_id, $inviter_id ) ) {
    501505        wp_send_json_error(
    502506            array(
Note: See TracChangeset for help on using the changeset viewer.