Skip to:
Content

BuddyPress.org

Changeset 9948


Ignore:
Timestamp:
06/16/2015 10:48:11 PM (9 years ago)
Author:
johnjamesjacoby
Message:

Messages: Introduce filter to enforce private message thread query boundaries.

This change ensures that all queries for private messages will always return anticipated results, even when certain malformed values are passed in. It specifically hardens the user ID argument to prevent accidental overriding.

Fixes #6504. Props r-a-y. (trunk, for 2.4.0)

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-messages/bp-messages-filters.php

    r9862 r9948  
    6666add_filter( 'bp_get_the_thread_message_content', 'stripslashes_deep' );
    6767add_filter( 'bp_get_the_thread_subject',         'stripslashes_deep' );
     68
     69/**
     70 * Enforce limitations on viewing private message contents
     71 *
     72 * @since BuddyPress (2.3.2)
     73 *
     74 * @see bp_has_message_threads() for description of parameters
     75 *
     76 * @param array|string $args See {@link bp_has_message_threads()}.
     77 */
     78function bp_messages_enforce_current_user( $args = array() ) {
     79
     80    // Non-community moderators can only ever see their own messages
     81    if ( is_user_logged_in() && ! bp_current_user_can( 'bp_moderate' ) ) {
     82        $_user_id = (int) bp_loggedin_user_id();
     83        if ( $_user_id !== (int) $args['user_id'] ) {
     84            $args['user_id'] = $_user_id;
     85        }
     86    }
     87
     88    // Return possibly modified $args array
     89    return $args;
     90}
     91add_filter( 'bp_after_has_message_threads_parse_args', 'bp_messages_enforce_current_user', 5 );
  • trunk/src/bp-messages/classes/class-bp-messages-thread.php

    r9928 r9948  
    461461        }
    462462
    463         if ( ! empty( $r['user_id'] ) ) {
    464             if ( 'sentbox' == $r['box'] ) {
     463        $r['user_id'] = (int) $r['user_id'];
     464
     465        switch ( $r['box'] ) {
     466            case 'sentbox' :
    465467                $user_id_sql = 'AND ' . $wpdb->prepare( 'm.sender_id = %d', $r['user_id'] );
    466                 $sender_sql  = ' AND m.sender_id = r.user_id';
    467             } else {
     468                $sender_sql  = 'AND m.sender_id = r.user_id';
     469                break;
     470
     471            case 'inbox' :
     472            default :
    468473                $user_id_sql = 'AND ' . $wpdb->prepare( 'r.user_id = %d', $r['user_id'] );
    469                 $sender_sql  = ' AND r.sender_only = 0';
    470             }
     474                $sender_sql  = 'AND r.sender_only = 0';
     475                break;
    471476        }
    472477
  • trunk/tests/phpunit/testcases/messages/template.php

    r9819 r9948  
    260260
    261261    /**
     262     * @group bp_has_message_threads
     263     */
     264    public function test_has_message_threads_anonymous_user_should_not_see_threads() {
     265        $u1 = $this->factory->user->create();
     266        $u2 = $this->factory->user->create();
     267
     268        // create initial thread
     269        $this->factory->message->create( array(
     270            'sender_id'  => $u1,
     271            'recipients' => array( $u2 ),
     272        ) );
     273
     274        // set user to anonymous
     275        $old_current_user = get_current_user_id();
     276        $this->set_current_user( 0 );
     277
     278        // now, do the message thread query
     279        global $messages_template;
     280        bp_has_message_threads();
     281
     282        // assert!
     283        $this->assertEquals( 0, $messages_template->thread_count );
     284        $this->assertEmpty( $messages_template->threads );
     285
     286        $this->set_current_user( $old_current_user );
     287    }
     288
     289    /**
    262290     * @group pagination
    263291     * @group BP_Messages_Box_Template
Note: See TracChangeset for help on using the changeset viewer.