Skip to:
Content

BuddyPress.org

Changeset 5908


Ignore:
Timestamp:
03/13/2012 08:33:06 PM (13 years ago)
Author:
johnjamesjacoby
Message:

Bail early in bp-default ajax functions if not a POST request.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/bp-themes/bp-default/_inc/ajax.php

    r5822 r5908  
    8686function bp_dtheme_object_template_loader() {
    8787
     88    // Bail if not a POST action
     89    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     90        return;
     91
    8892    /**
    8993     * AJAX requests happen too early to be seen by bp_update_is_directory()
     
    117121// This function will load the activity loop template when activity is requested via AJAX
    118122function bp_dtheme_activity_template_loader() {
     123
     124    // Bail if not a POST action
     125    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     126        return;
    119127
    120128    $scope = '';
     
    157165function bp_dtheme_post_update() {
    158166
     167    // Bail if not a POST action
     168    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     169        return;
     170
    159171    // Check the nonce
    160172    check_admin_referer( 'post_update', '_wpnonce_post_update' );
     
    197209/* AJAX activity comment posting */
    198210function bp_dtheme_new_activity_comment() {
     211
     212    // Bail if not a POST action
     213    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     214        return;
    199215
    200216    // Check the nonce
     
    254270function bp_dtheme_delete_activity() {
    255271
     272    // Bail if not a POST action
     273    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     274        return;
     275
    256276    // Check the nonce
    257277    check_admin_referer( 'bp_activity_delete_link' );
     
    291311/* AJAX delete an activity comment */
    292312function bp_dtheme_delete_activity_comment() {
     313
     314    // Bail if not a POST action
     315    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     316        return;
    293317
    294318    // Check the nonce
     
    332356    global $bp;
    333357
     358    // Bail if not a POST action
     359    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     360        return;
     361
    334362    // Check that user is logged in, Activity Streams are enabled, and Akismet is present.
    335363    if ( !is_user_logged_in() || !bp_is_active( 'activity' ) || empty( $bp->activity->akismet ) ) {
     
    374402function bp_dtheme_mark_activity_favorite() {
    375403
     404    // Bail if not a POST action
     405    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     406        return;
     407
    376408    bp_activity_add_user_favorite( $_POST['id'] );
    377409    _e( 'Remove Favorite', 'buddypress' );
     
    381413/* AJAX mark an activity as not a favorite */
    382414function bp_dtheme_unmark_activity_favorite() {
     415
     416    // Bail if not a POST action
     417    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     418        return;
    383419
    384420    bp_activity_remove_user_favorite( $_POST['id'] );
     
    394430 */
    395431function bp_dtheme_get_single_activity_content() {
     432    // Bail if not a POST action
     433    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     434        return;
     435
    396436    $activity_array = bp_activity_get_specific( array(
    397437        'activity_ids'     => $_POST['activity_id'],
     
    401441    $activity = !empty( $activity_array['activities'][0] ) ? $activity_array['activities'][0] : false;
    402442
    403     if ( !$activity )
     443    if ( empty( $activity ) )
    404444        exit(); // todo: error?
    405445
     
    417457/* AJAX invite a friend to a group functionality */
    418458function bp_dtheme_ajax_invite_user() {
     459
     460    // Bail if not a POST action
     461    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     462        return;
    419463
    420464    check_ajax_referer( 'groups_invite_uninvite_user' );
     
    461505function bp_dtheme_ajax_addremove_friend() {
    462506
     507    // Bail if not a POST action
     508    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     509        return;
     510
    463511    if ( 'is_friend' == BP_Friends_Friendship::check_is_friend( bp_loggedin_user_id(), $_POST['fid'] ) ) {
    464512
     
    490538/* AJAX accept a user as a friend when clicking the "accept" button */
    491539function bp_dtheme_ajax_accept_friendship() {
     540
     541    // Bail if not a POST action
     542    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     543        return;
     544
    492545    check_admin_referer( 'friends_accept_friendship' );
    493546
     
    501554/* AJAX reject a user as a friend when clicking the "reject" button */
    502555function bp_dtheme_ajax_reject_friendship() {
     556    // Bail if not a POST action
     557    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     558        return;
     559
    503560    check_admin_referer( 'friends_reject_friendship' );
    504561
     
    512569/* AJAX join or leave a group when clicking the "join/leave" button */
    513570function bp_dtheme_ajax_joinleave_group() {
     571
     572    // Bail if not a POST action
     573    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     574        return;
    514575
    515576    if ( groups_is_user_banned( bp_loggedin_user_id(), $_POST['gid'] ) )
     
    563624    global $userdata;
    564625
     626    // Bail if not a POST action
     627    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     628        return;
     629
    565630    if ( !isset( $_POST['notice_id'] ) ) {
    566631        echo "-1<div id='message' class='error'><p>" . __('There was a problem closing the notice.', 'buddypress') . '</p></div>';
     
    578643function bp_dtheme_ajax_messages_send_reply() {
    579644    global $bp;
     645
     646    // Bail if not a POST action
     647    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     648        return;
    580649
    581650    check_ajax_referer( 'messages_send_message' );
     
    614683function bp_dtheme_ajax_message_markunread() {
    615684
     685    // Bail if not a POST action
     686    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     687        return;
     688
    616689    if ( !isset($_POST['thread_ids']) ) {
    617690        echo "-1<div id='message' class='error'><p>" . __('There was a problem marking messages as unread.', 'buddypress' ) . '</p></div>';
     
    629702function bp_dtheme_ajax_message_markread() {
    630703
     704    // Bail if not a POST action
     705    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     706        return;
     707
    631708    if ( !isset($_POST['thread_ids']) ) {
    632709        echo "-1<div id='message' class='error'><p>" . __('There was a problem marking messages as read.', 'buddypress' ) . '</p></div>';
     
    643720/* AJAX delete a private message or array of messages in your inbox */
    644721function bp_dtheme_ajax_messages_delete() {
     722
     723    // Bail if not a POST action
     724    if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
     725        return;
    645726
    646727    if ( !isset($_POST['thread_ids']) ) {
Note: See TracChangeset for help on using the changeset viewer.