Changeset 14107

Timestamp:

03/20/2025 07:10:28 PM (10 months ago)

Author:

dcavins

Message:

Restrict bulk notification management to owner (14.0 branch).

When attempting to manage notifications in bulk, ensure that the current user is either a site admin or owns all of the notifications specified.

Many thanks to Brian Mungah for responsibly reporting the problem.

Location:

branches/12.0

Files:

• src/bp-notifications/actions/bulk-manage.php (modified) (1 diff)
• src/bp-notifications/bp-notifications-functions.php (modified) (1 diff)
• tests/phpunit/testcases/notifications/functions.php (modified) (1 diff)

branches/12.0/src/bp-notifications/actions/bulk-manage.php

@@ -41 +41 @@
 
     // Delete, mark as read or unread depending on the user 'action'.
+    $result = bp_notifications_bulk_manage_notifications( $action, $notifications );
+
+    // Set message depending on the user 'action'.
     switch ( $action ) {
         case 'delete':
-            bp_notifications_delete_notifications_by_ids( $notifications );
             bp_core_add_message( __( 'Notifications deleted.', 'buddypress' ) );
             break;
 
         case 'read':
-            bp_notifications_mark_notifications_by_ids( $notifications, false );
             bp_core_add_message( __( 'Notifications marked as read', 'buddypress' ) );
             break;
 
         case 'unread':
-            bp_notifications_mark_notifications_by_ids( $notifications, true );
             bp_core_add_message( __( 'Notifications marked as unread.', 'buddypress' ) );
             break;

branches/12.0/src/bp-notifications/bp-notifications-functions.php

@@ -669 +669 @@
 
 /**
+ * Mark a batch of notifications as read or unread or delete them.
+ *
+ * @since 12.5.3 (Backported from 14.3.4)
+ *
+ * @param string $user_id          Action to run on notifications.
+ * @param array  $notification_ids IDs of the notifications to change.
+ * @return bool True if the action run returned true.
+ */
+function bp_notifications_bulk_manage_notifications( $action, $notification_ids = array() ) {
+    $notification_ids = wp_parse_id_list( $notification_ids );
+    if ( empty( $notification_ids ) ) {
+        return false;
+    }
+
+    if ( ! current_user_can( 'bp_manage' ) ) {
+        // Regular users can only manage their own notifications.
+        $all_user_notifications     = BP_Notifications_Notification::get(
+            array(
+                'user_id'           => bp_loggedin_user_id(),
+                'is_new'            => 'both', // Allow unread and read notices to be found.
+                'update_meta_cache' => false,
+            )
+        );
+        $all_user_notifications_ids = wp_list_pluck( $all_user_notifications, 'id' );
+        $notification_ids           = array_intersect( $notification_ids, $all_user_notifications_ids );
+        if ( empty( $notification_ids ) ) {
+            return false;
+        }
+    }
+
+    // Delete, mark as read or unread depending on the 'action'.
+    $result = false;
+    switch ( $action ) {
+        case 'delete':
+            $result = bp_notifications_delete_notifications_by_ids( $notification_ids );
+            break;
+
+        case 'read':
+            $result = bp_notifications_mark_notifications_by_ids( $notification_ids, false );
+            break;
+
+        case 'unread':
+            $result = bp_notifications_mark_notifications_by_ids( $notification_ids, true );
+            break;
+    }
+
+    return ( bool ) $result;
+}
+
+/**
  * Check if a user has access to a specific notification.
  *

branches/12.0/tests/phpunit/testcases/notifications/functions.php

@@ -502 +502 @@
         $this->assertTrue( 1 === (int) $n_obj->is_new );
     }
+
+    /**
+     * @group bulk_manage_notifications
+     */
+    public function test_bp_notifications_bulk_manage_notifications_user_must_own_items() {
+        $u1 = self::factory()->user->create();
+        $u2 = self::factory()->user->create();
+
+        // Create notifications
+        $n1 = self::factory()->notification->create( array(
+            'component_name'    => 'messages',
+            'component_action'  => 'new_message',
+            'item_id'           => 99,
+            'user_id'           => $u1,
+        ) );
+        $n2 = self::factory()->notification->create( array(
+            'component_name'    => 'messages',
+            'component_action'  => 'new_message',
+            'item_id'           => 100,
+            'user_id'           => $u1,
+        ) );
+        $n3 = self::factory()->notification->create( array(
+            'component_name'    => 'messages',
+            'component_action'  => 'new_message',
+            'item_id'           => 101,
+            'user_id'           => $u2,
+        ) );
+
+        wp_set_current_user( $u2 );
+        // Attempt to mark all as read.
+        bp_notifications_bulk_manage_notifications( 'read', array( $n1, $n2, $n3 ) );
+
+        // Check status of $n2 (which shouldn't be affected).
+        $n_get = BP_Notifications_Notification::get(
+            array(
+                'id'               => $n2,
+                'component_name'   => 'messages',
+                'component_action' => 'new_message',
+                'is_new'           => 'both',
+            )
+        );
+        $n_obj = reset( $n_get );
+        $this->assertTrue( 1 === (int) $n_obj->is_new );
+
+        // Check status of $n3 (which should be affected).
+        $n_get = BP_Notifications_Notification::get(
+            array(
+                'id'               => $n3,
+                'component_name'   => 'messages',
+                'component_action' => 'new_message',
+                'is_new'           => 'both',
+            )
+        );
+        $n_obj = reset( $n_get );
+        $this->assertTrue( 0 === (int) $n_obj->is_new );
+    }
+
 }