Skip to:
Content

BuddyPress.org

Changeset 13525


Ignore:
Timestamp:
07/26/2023 05:04:47 AM (19 months ago)
Author:
imath
Message:

Display a 404 if a group’s URL has no matches in registered screens

Introduces a check_parsed_query() method to the BP_Groups_Component class to make sure the requested group URL matches an existing & registered group screen.

Fixes #8953
Closes https://github.com/buddypress/buddypress/pull/138

Location:
trunk/src/bp-groups
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-groups/bp-groups-functions.php

    r13496 r13525  
    38153815 *
    38163816 * @param string  $context  The display context. Required. Defaults to `read`.
     3817 *                          Possible values are `read`, `manage` or `create`.
    38173818 * @param boolean $built_in True to only get builtin screens. False otherwise.
    38183819 * @return array            The list of potential Group screens.
  • trunk/src/bp-groups/classes/class-bp-groups-component.php

    r13522 r13525  
    327327        // Finally return the current group.
    328328        return $current_group;
     329    }
     330
     331    /**
     332     * Set up the component actions.
     333     *
     334     * @since 12.0.0
     335     */
     336    public function setup_actions() {
     337        parent::setup_actions();
     338
     339        // Check the parsed query is consistent with the Group’s registered screens.
     340        add_action( 'bp_parse_query',  array( $this, 'check_parsed_query' ), 999, 0 );
    329341    }
    330342
     
    11931205
    11941206    /**
     1207     * Check the parsed query is consistent with Group’s registered screens.
     1208     *
     1209     * @since 12.0.0
     1210     */
     1211    public function check_parsed_query() {
     1212        if ( bp_is_group() ) {
     1213            $slug    = bp_current_action();
     1214            $context = 'read';
     1215
     1216            if ( 'admin' === $slug ) {
     1217                $slug    = bp_action_variable( 0 );
     1218                $context = 'manage';
     1219            }
     1220
     1221            $registered_group_screens = bp_get_group_screens( $context );
     1222
     1223            if ( ! isset( $registered_group_screens[ $slug ] ) ) {
     1224                bp_do_404();
     1225                return;
     1226            }
     1227        }
     1228    }
     1229
     1230    /**
    11951231     * Init the BP REST API.
    11961232     *
Note: See TracChangeset for help on using the changeset viewer.