Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
08/13/2021 12:19:58 PM (3 years ago)
Author:
imath
Message:

Activity: update the nonce used by the Activity Reply JS Fallback

If JavaScript is unavailable (whether it was disabled or it errored), posting an activity uses the bp_activity_action_post_comment() PHP function after a page load. Unlike the Ajax action, the nonce used into this function has not been updated in [12735]. The main goal of this commit is to fix this oversight. The secondary goal is to improve code formatting.

See #8545 (trunk)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/bp-activity/actions/reply.php

    r12371 r13041  
    1616 */
    1717function bp_activity_action_post_comment() {
    18     if ( !is_user_logged_in() || !bp_is_activity_component() || !bp_is_current_action( 'reply' ) )
     18    if ( ! is_user_logged_in() || ! bp_is_activity_component() || ! bp_is_current_action( 'reply' ) ) {
    1919        return false;
     20    }
     21
     22    if ( ! isset( $_POST['comment_form_id'] ) ) {
     23        return false;
     24    }
     25
     26    $activity_id = absint( wp_unslash( $_POST['comment_form_id'] ) );
     27
     28    if ( ! isset( $activity_id ) ) {
     29        return false;
     30    }
    2031
    2132    // Check the nonce.
    22     check_admin_referer( 'new_activity_comment', '_wpnonce_new_activity_comment' );
     33    check_admin_referer( 'new_activity_comment', '_wpnonce_new_activity_comment_' . $activity_id );
    2334
    2435    /**
     
    2738     * @since 1.2.0
    2839     *
    29      * @param string $value ID of the activity being replied to.
     40     * @param string $activity_id ID of the activity being replied to.
    3041     */
    31     $activity_id = apply_filters( 'bp_activity_post_comment_activity_id', $_POST['comment_form_id'] );
     42    $activity_id = apply_filters( 'bp_activity_post_comment_activity_id', $activity_id );
    3243
    3344    /**
     
    5162    }
    5263
    53     $comment_id = bp_activity_new_comment( array(
    54         'content'     => $content,
    55         'activity_id' => $activity_id,
    56         'parent_id'   => false
    57     ));
     64    $comment_id = bp_activity_new_comment(
     65        array(
     66            'content'     => $content,
     67            'activity_id' => $activity_id,
     68            'parent_id'   => false
     69        )
     70    );
    5871
    59     if ( !empty( $comment_id ) )
     72    if ( ! empty( $comment_id ) ) {
    6073        bp_core_add_message( __( 'Reply Posted!', 'buddypress' ) );
    61     else
     74    } else {
    6275        bp_core_add_message( __( 'There was an error posting that reply. Please try again.', 'buddypress' ), 'error' );
     76    }
    6377
    6478    bp_core_redirect( wp_get_referer() . '#ac-form-' . $activity_id );
Note: See TracChangeset for help on using the changeset viewer.