Skip to:
Content

BuddyPress.org

Changeset 9949


Ignore:
Timestamp:
06/16/2015 10:50:15 PM (9 years ago)
Author:
johnjamesjacoby
Message:

Messages: Introduce filter to enforce private message thread query boundaries.

This change ensures that all queries for private messages will always return anticipated results, even when certain malformed values are passed in. It specifically hardens the user ID argument to prevent accidental overriding.

Fixes #6504. Props r-a-y. (2.3 branch, for 2.3.2)

Location:
branches/2.3
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2.3/src/bp-messages/bp-messages-filters.php

    r9862 r9949  
    6666add_filter( 'bp_get_the_thread_message_content', 'stripslashes_deep' );
    6767add_filter( 'bp_get_the_thread_subject',         'stripslashes_deep' );
     68
     69/**
     70 * Enforce limitations on viewing private message contents
     71 *
     72 * @since BuddyPress (2.3.2)
     73 *
     74 * @see bp_has_message_threads() for description of parameters
     75 *
     76 * @param array|string $args See {@link bp_has_message_threads()}.
     77 */
     78function bp_messages_enforce_current_user( $args = array() ) {
     79
     80    // Non-community moderators can only ever see their own messages
     81    if ( is_user_logged_in() && ! bp_current_user_can( 'bp_moderate' ) ) {
     82        $_user_id = (int) bp_loggedin_user_id();
     83        if ( $_user_id !== (int) $args['user_id'] ) {
     84            $args['user_id'] = $_user_id;
     85        }
     86    }
     87
     88    // Return possibly modified $args array
     89    return $args;
     90}
     91add_filter( 'bp_after_has_message_threads_parse_args', 'bp_messages_enforce_current_user', 5 );
  • branches/2.3/src/bp-messages/classes/class-bp-messages-thread.php

    r9929 r9949  
    454454        }
    455455
    456         if ( ! empty( $r['user_id'] ) ) {
    457             if ( 'sentbox' == $r['box'] ) {
     456        $r['user_id'] = (int) $r['user_id'];
     457
     458        switch ( $r['box'] ) {
     459            case 'sentbox' :
    458460                $user_id_sql = 'AND ' . $wpdb->prepare( 'm.sender_id = %d', $r['user_id'] );
    459                 $sender_sql  = ' AND m.sender_id = r.user_id';
    460             } else {
     461                $sender_sql  = 'AND m.sender_id = r.user_id';
     462                break;
     463
     464            case 'inbox' :
     465            default :
    461466                $user_id_sql = 'AND ' . $wpdb->prepare( 'r.user_id = %d', $r['user_id'] );
    462                 $sender_sql  = ' AND r.sender_only = 0';
    463             }
     467                $sender_sql  = 'AND r.sender_only = 0';
     468                break;
    464469        }
    465470
  • branches/2.3/tests/phpunit/testcases/messages/template.php

    r9819 r9949  
    260260
    261261    /**
     262     * @group bp_has_message_threads
     263     */
     264    public function test_has_message_threads_anonymous_user_should_not_see_threads() {
     265        $u1 = $this->factory->user->create();
     266        $u2 = $this->factory->user->create();
     267
     268        // create initial thread
     269        $this->factory->message->create( array(
     270            'sender_id'  => $u1,
     271            'recipients' => array( $u2 ),
     272        ) );
     273
     274        // set user to anonymous
     275        $old_current_user = get_current_user_id();
     276        $this->set_current_user( 0 );
     277
     278        // now, do the message thread query
     279        global $messages_template;
     280        bp_has_message_threads();
     281
     282        // assert!
     283        $this->assertEquals( 0, $messages_template->thread_count );
     284        $this->assertEmpty( $messages_template->threads );
     285
     286        $this->set_current_user( $old_current_user );
     287    }
     288
     289    /**
    262290     * @group pagination
    263291     * @group BP_Messages_Box_Template
Note: See TracChangeset for help on using the changeset viewer.