Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
10/23/2013 07:22:17 AM (12 years ago)
Author:
r-a-y
Message:

Check username column first before sending a PM to a recipient.

Previously, when sending a private message, a check was made against the
user ID column first to determine who the recipient is.

The problem with that is if:

  1. A site uses numeric user_login / user_nicenames only; and if
  2. A site has a large userbase

That the recipient might be calculated incorrectly because of the check
against the ID column first leading to unintended private messages being
sent to the wrong user(s).

This commit fixes this issue by reversing the look up so the user_login /
user_nicename DB column is checked first, followed by the ID column being
checked as a fallback if there is no initial match.

Fixes #5151.

Props DennisSmolek.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/bp-messages/bp-messages-functions.php

    r7228 r7462  
    7575            $recipient_id = false;
    7676
    77             // input was numeric
    78             if ( is_numeric( $recipient ) ) {
    79                 // do a check against the user ID column first
    80                 if ( bp_core_get_core_userdata( (int) $recipient ) )
     77            // check user_login / nicename columns first
     78            // @see http://buddypress.trac.wordpress.org/ticket/5151
     79            if ( bp_is_username_compatibility_mode() ) {
     80                $recipient_id = bp_core_get_userid( $recipient );
     81            } else {
     82                $recipient_id = bp_core_get_userid_from_nicename( $recipient );
     83            }
     84
     85            // check against user ID column if no match and if passed recipient is numeric
     86            if ( ! $recipient_id && is_numeric( $recipient ) ) {
     87                if ( bp_core_get_core_userdata( (int) $recipient ) ) {
    8188                    $recipient_id = (int) $recipient;
    82 
    83                 // if that fails, check against the user_login / user_nicename column
    84                 else {
    85                     if ( bp_is_username_compatibility_mode() )
    86                         $recipient_id = bp_core_get_userid( (int) $recipient );
    87                     else
    88                         $recipient_id = bp_core_get_userid_from_nicename( (int) $recipient );
    8989                }
    90 
     90            }
     91
     92            if ( ! $recipient_id ) {
     93                $invalid_recipients[] = $recipient;
    9194            } else {
    92                 if ( bp_is_username_compatibility_mode() )
    93                     $recipient_id = bp_core_get_userid( $recipient );
    94                 else
    95                     $recipient_id = bp_core_get_userid_from_nicename( $recipient );
    96             }
    97 
    98             if ( !$recipient_id )
    99                 $invalid_recipients[] = $recipient;
    100             else
    10195                $recipient_ids[] = (int) $recipient_id;
     96            }
    10297        }
    10398
Note: See TracChangeset for help on using the changeset viewer.