Skip to:
Content

BuddyPress.org

Changeset 12630


Ignore:
Timestamp:
04/21/2020 06:13:26 PM (3 months ago)
Author:
boonebgorges
Message:

Improve permission check when validating activity permission requests.

Merges [12629] to the 5.0 branch.

Location:
branches/5.0
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0

  • branches/5.0/src/bp-activity/bp-activity-template.php

    r12395 r12630  
    15681568        }
    15691569
    1570         // Viewing a single item, and this user is an admin of that item.
    1571         if ( bp_is_single_item() && bp_is_item_admin() ) {
     1570        /*
     1571         * Viewing a single item, and this user is an admin of that item.
     1572         *
     1573         * Group activity items are handled separately.
     1574         * See bp_groups_filter_activity_user_can_delete().
     1575         */
     1576        if ( 'groups' !== $activity->component && bp_is_single_item() && bp_is_item_admin() ) {
    15721577            $can_delete = true;
    15731578        }
  • branches/5.0/src/bp-groups/bp-groups-activity.php

    r12395 r12630  
    608608
    609609/**
     610 * Function used to determine if a user can delete a group activity item.
     611 *
     612 * Used as a filter callback to 'bp_activity_user_can_delete'.
     613 *
     614 * @since 6.0.0
     615 *
     616 * @param  bool   $retval   True if item can receive comments.
     617 * @param  object $activity Activity item being checked.
     618 * @return bool
     619 */
     620function bp_groups_filter_activity_user_can_delete( $retval, $activity ) {
     621    // Bail if no current user.
     622    if ( ! is_user_logged_in() ) {
     623        return $retval;
     624    }
     625
     626    if ( isset( $activity->component ) || 'groups' !== $activity->component ) {
     627        return $retval;
     628    }
     629
     630    // Trust the passed value for administrators.
     631    if ( bp_current_user_can( 'bp_moderate' ) ) {
     632        return $retval;
     633    }
     634
     635    // Group administrators or moderators can delete content in that group that doesn't belong to them.
     636    $group_id = $activity->item_id;
     637    if ( groups_is_user_admin( bp_loggedin_user_id(), $group_id ) || groups_is_user_mod( bp_loggedin_user_id(), $group_id ) ) {
     638        $retval = true;
     639    }
     640
     641    return $retval;
     642}
     643add_filter( 'bp_activity_user_can_delete', 'bp_groups_filter_activity_user_can_delete', 10, 2 );
     644
     645/**
    610646 * Function used to determine if a user can comment on a group activity item.
    611647 *
Note: See TracChangeset for help on using the changeset viewer.