Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
03/20/2025 08:24:38 PM (11 months ago)
Author:
dcavins
Message:

Restrict bulk notification management to owner (11.0 branch).

When attempting to manage notifications in bulk, ensure that the current user is either a site admin or owns all of the notifications specified.

Many thanks to Brian Mungah for responsibly reporting the problem.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/11.0/tests/phpunit/testcases/notifications/functions.php

    r13243 r14116  
    501501        $this->assertTrue( 1 === (int) $n_obj->is_new );
    502502    }
     503
     504    /**
     505     * @group bulk_manage_notifications
     506     */
     507    public function test_bp_notifications_bulk_manage_notifications_user_must_own_items() {
     508        $u1 = self::factory()->user->create();
     509        $u2 = self::factory()->user->create();
     510
     511        // Create notifications
     512        $n1 = self::factory()->notification->create( array(
     513            'component_name'    => 'messages',
     514            'component_action'  => 'new_message',
     515            'item_id'           => 99,
     516            'user_id'           => $u1,
     517        ) );
     518        $n2 = self::factory()->notification->create( array(
     519            'component_name'    => 'messages',
     520            'component_action'  => 'new_message',
     521            'item_id'           => 100,
     522            'user_id'           => $u1,
     523        ) );
     524        $n3 = self::factory()->notification->create( array(
     525            'component_name'    => 'messages',
     526            'component_action'  => 'new_message',
     527            'item_id'           => 101,
     528            'user_id'           => $u2,
     529        ) );
     530
     531        wp_set_current_user( $u2 );
     532        // Attempt to mark all as read.
     533        bp_notifications_bulk_manage_notifications( 'read', array( $n1, $n2, $n3 ) );
     534
     535        // Check status of $n2 (which shouldn't be affected).
     536        $n_get = BP_Notifications_Notification::get(
     537            array(
     538                'id'               => $n2,
     539                'component_name'   => 'messages',
     540                'component_action' => 'new_message',
     541                'is_new'           => 'both',
     542            )
     543        );
     544        $n_obj = reset( $n_get );
     545        $this->assertTrue( 1 === (int) $n_obj->is_new );
     546
     547        // Check status of $n3 (which should be affected).
     548        $n_get = BP_Notifications_Notification::get(
     549            array(
     550                'id'               => $n3,
     551                'component_name'   => 'messages',
     552                'component_action' => 'new_message',
     553                'is_new'           => 'both',
     554            )
     555        );
     556        $n_obj = reset( $n_get );
     557        $this->assertTrue( 0 === (int) $n_obj->is_new );
     558    }
     559
    503560}
Note: See TracChangeset for help on using the changeset viewer.