Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
07/09/2023 10:06:30 AM (17 months ago)
Author:
imath
Message:

Check the requested Member’s page matches a valid nav screen function

The BP_Members_Component::check_parsed_query() method happens once the query is parsed & once the single displayed Member's navigation is set. It checks the current action matches a navigation slug & whether the corresponding screen function exists and is callable. If it's not the case a 404 is displayed, just like it's currently the case when the BP Legacy URL parser is in use.

See #4954
Fixes #8932
Closes https://github.com/buddypress/buddypress/pull/125

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-members/classes/class-bp-members-component.php

    r13503 r13512  
    205205            require_once $this->path . 'bp-members/screens/invitations.php';
    206206        }
     207    }
     208
     209    /**
     210     * Set up the component actions.
     211     *
     212     * @since 12.0.0
     213     */
     214    public function setup_actions() {
     215        parent::setup_actions();
     216
     217        // Check the parsed query is consistent with the Members navigation.
     218        add_action( 'bp_parse_query',  array( $this, 'check_parsed_query' ), 999, 0 );
    207219    }
    208220
     
    957969
    958970    /**
     971     * Check the parsed query is consistent with Members navigation.
     972     *
     973     * As the members’ component pages need a valid screen function to load the right BP Template,
     974     * we need to make sure the current single item action exists inside the Members navigation and
     975     * that the corresponding screen function is a valid callback.
     976     *
     977     * @since 12.0.0
     978     */
     979    public function check_parsed_query() {
     980        $single_item_component = '';
     981        if ( bp_is_user() ) {
     982            $single_item_component = bp_current_component();
     983        }
     984
     985        $single_item_action = '';
     986        if ( $single_item_component ) {
     987            $single_item_action = bp_current_action();
     988        }
     989
     990        $bp = buddypress();
     991        if ( isset( $bp->{$single_item_component}, $bp->{$single_item_component}->sub_nav ) ) {
     992            $screen_functions = wp_list_pluck( $bp->{$single_item_component}->sub_nav, 'screen_function', 'slug' );
     993
     994            if ( ! $single_item_action || ! isset( $screen_functions[ $single_item_action ] ) || ! is_callable( $screen_functions[ $single_item_action ] ) ) {
     995                bp_do_404();
     996                return;
     997            }
     998        }
     999    }
     1000
     1001    /**
    9591002     * Init the BP REST API.
    9601003     *
Note: See TracChangeset for help on using the changeset viewer.