Changeset 6891

Timestamp:

04/06/2013 06:40:33 PM (12 years ago)

Author:

johnjamesjacoby

Message:

In bp_core_delete_account(), move capability checks into a logged-in user comparison block, to ensure the logged-in user is not trying to delete someone else's account. Props boonegorges. Fixes #4915.

File:

• trunk/bp-members/bp-members-functions.php (modified) (1 diff)

trunk/bp-members/bp-members-functions.php

@@ -815 +815 @@
         return false;
 
-    // Bail if current user cannot delete any users
-    if ( ! bp_current_user_can( 'delete_users' ) )
-        return false;
-
-    // Bail if current user cannot delete this user
-    if ( ! current_user_can_for_blog( bp_get_root_blog_id(), 'delete_user', $user_id ) )
-        return false;
+    // Extra checks if user is not deleting themselves
+    if ( bp_loggedin_user_id() !== absint( $user_id ) ) {
+
+        // Bail if current user cannot delete any users
+        if ( ! bp_current_user_can( 'delete_users' ) ) {
+            return false;
+        }
+
+        // Bail if current user cannot delete this user
+        if ( ! current_user_can_for_blog( bp_get_root_blog_id(), 'delete_user', $user_id ) ) {
+            return false;
+        }
+    }
 
     do_action( 'bp_core_pre_delete_account', $user_id );