Invalid URLs are incorrectly handled

[DJPaul]

Alot of BuddyPress URLs are not handling invalid URLs correctly. Make sure you have wp_debug set.
These must 404, not redirect back to the home page or a component's root page:

1) ​http://example.com/groups/INVALID/ (and all subdirs, i.e. /forum/, /members/, and so on).

2) ​http://example.com/groups/valid/INVALID/
3) ​http://example.com/groups/valid/forum/INVALID

4) ​http://example.com/members/INVALID/
5) ​http://example.com/members/valid/INVALID/

If a valid component is on the URL, I think that component should be responsible for handling 404s within that component, rather than letting it fall back to BP_Core, e.g.

$wp_query->set_404();
status_header( 404 );
nocache_headers();

[DJPaul]

Related: #3211

[boonebgorges]

I agree that this should be fixed, but is it really a blocker? It's not a regression; BP already works like this (for better or for worse).

In any case, it should mean just changing a few 'return false' calls to the status_header(404); sequence, right?

[DJPaul]

Fairly rough first patch attached. There may be some more situations in the messages component to 404 for, but I was unsure.

Had to hack up bp_core_catch_no_access(). As a result, the "If the displayed user was marked as a spammer and the logged-in user is not a super admin" thing doesn't work.

For the email notifications, I suggest we go through and edit all of those to point to wp-login.php with a redirect_to argument.

[johnjamesjacoby]

Patch applied over at testbp.org. Still doesn't seem to fix the ​http://testbp.org/members/sdafsadfsdf/profile issue though.

[DJPaul]

Thanks. There's definitely more to do. I'll check it out after work.

[boonebgorges]

Thanks for starting this, DJPaul. 3280-2.patch is an expanded version with a few enhancements:

• Distinguish between groups that don't exist and groups that one does not have access to. If you attempt to visit a non-existent group, or any subpage of a non-existent group, you get a 404. If you attempt to visit the inner page of a group to which you do not have access, you get bp_core_no_access(), ie a redirect to the login page with a redirect_to param. This will take care of the email notification issue without resorting to putting the hideous wp-login.php url in emails :)

• ​http://example.com/members/INVALID/profile now 404s. I did this by putting a check directly into bp_core_set_uri_globals(), where BP attempts to find a displayed_user. This was tricky for components that also have root component pages, like ​http://example.com/members/INVALID/groups, because WP's canonical URL functions tried to "help" our 404 situation by redirecting back to the similarly-named WP page with the name 'Groups'. That's why you'll see

remove_action( 'template_redirect', 'redirect_canonical' );

in a few places.

[boonebgorges]

I was thinking about this, and I think it might be nice to make a wrapper function bp_handle_404() or something like that, since unsetting the current_component and unhooking 'redirect_canonical' will generally be necessary in the case of BP 404s. This'll also make it easier for plugin authors to do proper 404ing.

[DJPaul]

Patch updated to remove unused global per IRC. /groups/valid/forum/INVALID/ is still incorrectly handled.

[DJPaul]

As is /groups/valid/send-invites/INVALID/

[DJPaul]

As much as I really, really hate it, unless we want to whitelist URLs for everything, I think we're going to have to put up with URLs like /groups/valid/send-invites/ANYTHING/GOES/HERE/.

[boonebgorges]

As much as I really, really hate it, unless we want to whitelist URLs for everything, I think we're going to have to put up with URLs like /groups/valid/send-invites/ANYTHING/GOES/HERE/.

I don't think that's true. We can just change the logic in groups_screen_group_invite() a bit. Working on a patch.

It's true that this is a huge PITA to fix, but it's good to do now, so we can set some best practices for future dev.

[boonebgorges]

See 3280-4.patch

[DJPaul]

Nice one; 3280-5.patch attached with convenience function to set the 404. Also includes a bunch of whitespace cleanup.

[DJPaul]

3280-6.patch handles some more situations along the lines of /groups/valid/send-invites/ANYTHING/GOES/HERE/. Probably not complete, and needs checking.

[boonebgorges]

(In [4506]) Introduces bp_do_404() for easy 404ing. Corrects invalid path handling throughout, using bp_do_404(). Fixes #3280. Props DJPaul