Skip to:
Content

BuddyPress.org

Changeset 12629


Ignore:
Timestamp:
04/21/2020 06:12:25 PM (3 months ago)
Author:
boonebgorges
Message:

Improve permission check when validating activity permission requests.

Location:
trunk/src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-activity/bp-activity-template.php

    r12586 r12629  
    15791579        }
    15801580
    1581         // Viewing a single item, and this user is an admin of that item.
    1582         if ( bp_is_single_item() && bp_is_item_admin() ) {
     1581        /*
     1582         * Viewing a single item, and this user is an admin of that item.
     1583         *
     1584         * Group activity items are handled separately.
     1585         * See bp_groups_filter_activity_user_can_delete().
     1586         */
     1587        if ( 'groups' !== $activity->component && bp_is_single_item() && bp_is_item_admin() ) {
    15831588            $can_delete = true;
    15841589        }
  • trunk/src/bp-groups/bp-groups-activity.php

    r12590 r12629  
    619619
    620620/**
     621 * Function used to determine if a user can delete a group activity item.
     622 *
     623 * Used as a filter callback to 'bp_activity_user_can_delete'.
     624 *
     625 * @since 6.0.0
     626 *
     627 * @param  bool   $retval   True if item can receive comments.
     628 * @param  object $activity Activity item being checked.
     629 * @return bool
     630 */
     631function bp_groups_filter_activity_user_can_delete( $retval, $activity ) {
     632    // Bail if no current user.
     633    if ( ! is_user_logged_in() ) {
     634        return $retval;
     635    }
     636
     637    if ( isset( $activity->component ) || 'groups' !== $activity->component ) {
     638        return $retval;
     639    }
     640
     641    // Trust the passed value for administrators.
     642    if ( bp_current_user_can( 'bp_moderate' ) ) {
     643        return $retval;
     644    }
     645
     646    // Group administrators or moderators can delete content in that group that doesn't belong to them.
     647    $group_id = $activity->item_id;
     648    if ( groups_is_user_admin( bp_loggedin_user_id(), $group_id ) || groups_is_user_mod( bp_loggedin_user_id(), $group_id ) ) {
     649        $retval = true;
     650    }
     651
     652    return $retval;
     653}
     654add_filter( 'bp_activity_user_can_delete', 'bp_groups_filter_activity_user_can_delete', 10, 2 );
     655
     656/**
    621657 * Function used to determine if a user can comment on a group activity item.
    622658 *
Note: See TracChangeset for help on using the changeset viewer.