Changeset 13870

Timestamp:

05/24/2024 05:43:34 AM (11 months ago)

Author:

imath

Message:

Groups: improve group activity moderation delegation to admins & mods

• Introduce a new BP Groups global setting to let Site Administrators decide whether group admins & mods can delete their group activities or not.
• NB: Group creators can keep the control about who can delete their group activities using group role promotion (allow: promote some members as mods or admins. Disallow: do not promote anyone).
• Make sure the bp_groups_filter_activity_user_can_delete() filter takes in account this setting and behaves as expected (eventually allowing group admins/mods to delete group activities).
• Add unit tests

This ticket is a perfect example of a great collaborative work between all members of the BP Team. Great job 💪.

Props: emaralive, vapvarun, dcavins, espellcaste, needle

Fixes #8728
Closes ​https://github.com/buddypress/buddypress/pull/278

Location:

trunk

Files:

• src/bp-core/admin/bp-core-admin-settings.php (modified) (2 diffs)
• src/bp-core/bp-core-options.php (modified) (2 diffs)
• src/bp-core/classes/class-bp-admin.php (modified) (1 diff)
• src/bp-groups/bp-groups-activity.php (modified) (1 diff)
• tests/phpunit/testcases/groups/activity.php (modified) (1 diff)

trunk/src/bp-core/admin/bp-core-admin-settings.php

@@ -352 +352 @@
 }
 
+/**
+ * 'Enable group activity deletions.
+ *
+ * @since 14.0.0
+ */
+function bp_admin_setting_callback_group_activity_deletions() {
+?>
+    <input id="bp-disable-group-activity-deletions" name="bp-disable-group-activity-deletions" type="checkbox" value="1" <?php checked( ! bp_disable_group_activity_deletions() ); ?> />
+    <label for="bp-disable-group-activity-deletions"><?php esc_html_e( "Allow group administrators and moderators to delete activity items from their group's activity stream", 'buddypress' ); ?></label>
+<?php
+}
+
 /** Account settings Section ************************************************************/
 
@@ -436 +448 @@
             'bp-disable-group-avatar-uploads',
             'bp-disable-group-cover-image-uploads',
+            'bp-disable-group-activity-deletions',
             'bp_disable_blogforum_comments',
             'bp-disable-profile-sync',

trunk/src/bp-core/bp-core-options.php

@@ -62 +62 @@
         // Group Cover image uploads.
         'bp-disable-group-cover-image-uploads' => false,
+
+        // Allow Group Activity Deletions.
+        'bp-disable-group-activity-deletions'   => false,
 
         // Allow users to delete their own accounts.
@@ -587 +590 @@
 
 /**
+ * Are group activity deletions disabled?
+ *
+ * @since 14.0.0
+ *
+ * @param bool $default Optional. Fallback value if not found in the database.
+ *                      Default: false.
+ * @return bool True if group activity deletions are disabled, otherwise false.
+ */
+function bp_disable_group_activity_deletions( $default = false ) {
+
+    /**
+     * Filters whether or not group creator, group admin or group mod are able to delete group activity posts.
+     *
+     * @since 14.0.0
+     *
+     * @param bool $value Whether or not group creator, group admin or group mod are able to delete group activity post.
+     */
+    return (bool) apply_filters( 'bp_disable_group_activity_deletions', (bool) bp_get_option( 'bp-disable-group-activity-deletions', $default ) );
+}
+
+/**
  * Are members able to delete their own accounts?
  *

trunk/src/bp-core/classes/class-bp-admin.php

@@ -570 +570 @@
                 register_setting( 'buddypress', 'bp-disable-group-cover-image-uploads', 'intval' );
             }
+
+            // Allow group activity deletions.
+            add_settings_field( 'bp-disable-group-activity-deletions', esc_html__( 'Group Activity Deletions', 'buddypress' ), 'bp_admin_setting_callback_group_activity_deletions', 'buddypress', 'bp_groups' );
+            register_setting( 'buddypress', 'bp-disable-group-activity-deletions', 'intval' );
         }
 

trunk/src/bp-groups/bp-groups-activity.php

@@ -651 +651 @@
  */
 function bp_groups_filter_activity_user_can_delete( $retval, $activity ) {
-    // Bail if no current user.
-    if ( ! is_user_logged_in() ) {
+    // Bail if no current user or group activity deletions are disabled.
+    if ( ! is_user_logged_in() || bp_disable_group_activity_deletions() ) {
         return $retval;
     }
 
-    if ( isset( $activity->component ) || 'groups' !== $activity->component ) {
+    if ( ! isset( $activity->component ) || 'groups' !== $activity->component ) {
         return $retval;
     }
 
-    // Trust the passed value for administrators.
-    if ( bp_current_user_can( 'bp_moderate' ) ) {
+    // The first conditional statement will trust the passed value for administrators.
+    // The second conditional statement does not allow "site admin" activity posts to be deleted by "non site admins".
+    if ( bp_current_user_can( 'bp_moderate' ) || bp_user_can( $activity->user_id, 'bp_moderate' ) ) {
         return $retval;
     }
 
-    // Group administrators or moderators can delete content in that group that doesn't belong to them.
     $group_id = $activity->item_id;
+
+    // Group administrators or moderators can delete content in which deletions are allowed for that group.
     if ( groups_is_user_admin( bp_loggedin_user_id(), $group_id ) || groups_is_user_mod( bp_loggedin_user_id(), $group_id ) ) {
         $retval = true;

trunk/tests/phpunit/testcases/groups/activity.php

@@ -354 +354 @@
         return $args;
     }
+
+    /**
+     * @ticket BP8728
+     */
+    public function test_user_can_delete_group_activity() {
+        $u1             = self::factory()->user->create();
+        $u2             = self::factory()->user->create();
+        $original_user = bp_loggedin_user_id();
+
+        $this->set_current_user( $u1 );
+
+        $g = self::factory()->group->create();
+
+        $a = self::factory()->activity->create(
+            array(
+                'user_id'   => $u2,
+                'component' => buddypress()->groups->id,
+                'type'      => 'activity_update',
+                'item_id'   => $g,
+                'content'   => 'Random content',
+            )
+        );
+
+        // Activity for group creator.
+        $b = self::factory()->activity->create(
+            array(
+                'user_id'   => $u1,
+                'component' => buddypress()->groups->id,
+                'type'      => 'activity_update',
+                'item_id'   => $g,
+                'content'   => 'Random content',
+            )
+        );
+
+        // Add user to group.
+        self::add_user_to_group( $u2, $g );
+
+        $activity   = self::factory()->activity->get_object_by_id( $a );
+        $activity_b = self::factory()->activity->get_object_by_id( $b );
+
+        // User can delete his own activity.
+        $this->set_current_user( $u2 );
+        $this->assertTrue( bp_activity_user_can_delete( $activity ) );
+
+        // Activity from site admins can't be deleted by non site admins.
+        $this->set_current_user( $u2 );
+        $this->assertFalse( bp_activity_user_can_delete( $activity_b ) );
+
+        // Activity from site admins can be deleted by other site admins.
+        $site_admin = self::factory()->user->create( array( 'role' => 'administrator' ) );
+        $this->set_current_user( $site_admin );
+        $this->assertTrue( bp_activity_user_can_delete( $activity_b ) );
+
+        // Group creator can delete activity.
+        $this->set_current_user( $u1 );
+        $this->assertTrue( bp_activity_user_can_delete( $activity ) );
+
+        // Logged-out user can't delete activity.
+        $this->set_current_user( 0 );
+        $this->assertFalse( bp_activity_user_can_delete( $activity ) );
+
+        // Misc user can't delete activity.
+        $misc_user = self::factory()->user->create( array( 'role' => 'subscriber' ) );
+        $this->set_current_user( $misc_user );
+        $this->assertFalse( bp_activity_user_can_delete( $activity ) );
+
+        // Misc group member can't delete activity.
+        $misc_user_2 = self::factory()->user->create( array( 'role' => 'subscriber' ) );
+        self::add_user_to_group( $misc_user_2, $g );
+        $this->set_current_user( $misc_user_2 );
+        $this->assertFalse( bp_activity_user_can_delete( $activity ) );
+
+        // Group mod can delete activity.
+        $misc_user_3 = self::factory()->user->create( array( 'role' => 'subscriber' ) );
+        self::add_user_to_group( $misc_user_3, $g, [ 'is_mod' => true ] );
+        $this->set_current_user( $misc_user_3 );
+        $this->assertTrue( bp_activity_user_can_delete( $activity ) );
+
+        // Group admin can delete activity.
+        $misc_user_4 = self::factory()->user->create( array( 'role' => 'subscriber' ) );
+        self::add_user_to_group( $misc_user_4, $g, [ 'is_admin' => true ] );
+        $this->set_current_user( $misc_user_4 );
+        $this->assertTrue( bp_activity_user_can_delete( $activity ) );
+
+        $this->set_current_user( $original_user );
+    }
+
+    /**
+     * @ticket BP8728
+     */
+    public function test_group_admins_cannot_delete_activity() {
+        $u1            = self::factory()->user->create();
+        $u2            = self::factory()->user->create();
+        $original_user = bp_loggedin_user_id();
+
+        $this->set_current_user( $u1 );
+
+        $g  = self::factory()->group->create();
+        $g2 = self::factory()->group->create();
+        $a  = self::factory()->activity->create(
+            array(
+                'user_id'   => $u1,
+                'content'   => 'Random Activity content',
+            )
+        );
+
+        // Activity for group creator.
+        $a2 = self::factory()->activity->create(
+            array(
+                'user_id'   => $u1,
+                'component' => buddypress()->groups->id,
+                'type'      => 'activity_update',
+                'item_id'   => $g,
+                'content'   => 'Random first Group Activity content',
+            )
+        );
+
+        $a3 = self::factory()->activity->create(
+            array(
+                'user_id'   => $u1,
+                'component' => buddypress()->groups->id,
+                'type'      => 'activity_update',
+                'item_id'   => $g2,
+                'content'   => 'Random second Group Activity content',
+            )
+        );
+
+        $activity = self::factory()->activity->get_object_by_id( $a );
+
+        // Add u2 as Admin of g2.
+        self::add_user_to_group( $u2, $g, [ 'is_admin' => true ] );
+
+        $this->set_current_user( $u2 );
+        $this->assertFalse( bp_activity_user_can_delete( $activity ), 'Group Admins or Mods shouldn not be able to delete activities that are not attached to a group' );
+
+        $activity = self::factory()->activity->get_object_by_id( $a2 );
+
+        add_filter( 'bp_disable_group_activity_deletions', '__return_true' );
+
+        $this->assertFalse( bp_activity_user_can_delete( $activity ), 'Group Admins or Mods should not be able to delete group activities when Site admin globally disallowed it.' );
+
+        remove_filter( 'bp_disable_group_activity_deletions', '__return_true' );
+
+        $activity = self::factory()->activity->get_object_by_id( $a3 );
+        $this->assertFalse( bp_activity_user_can_delete( $activity ), 'Group Admins or Mods should not be able to delete another group activities.' );
+
+        $this->set_current_user( $original_user );
+    }
 }