Skip to:
Content

BuddyPress.org

Opened 11 years ago

Closed 11 years ago

#5254 closed defect (bug) (fixed)

Message thread still accessible after member has deleted it

Reported by: henrywright's profile henrywright Owned by: imath's profile imath
Milestone: 2.0 Priority: normal
Severity: normal Version: 1.8.1
Component: Messages Keywords: has-patch 2nd-opinion commit
Cc:

Description

Steps to reproduce

  1. Delete a message thread but take note of the thread's URL. e.g /members/username/messages/view/165/
  1. After the thread has been successfully deleted, visit the URL.

You will see that even though the deleted message thread doesn't appear in a member's inbox or sentbox, the thread can still be read by the member who deleted it if they access it by directly typing in the URL.

Attachments (1)

5254.diff (711 bytes) - added by imath 11 years ago.

Download all attachments as: .zip

Change History (6)

#1 follow-up: @DJPaul
11 years ago

  • Milestone changed from Awaiting Review to 1.9

We should double-check this for 1.9 and see if it's been a regression from previous versions or not.

#2 in reply to: ↑ 1 @imath
11 years ago

  • Keywords has-patch 2nd-opinion added

Replying to DJPaul:

We should double-check this for 1.9 and see if it's been a regression from previous versions or not.

Hi Paul, just checked it, and it's happening the same way in 1.8.1.

I suggest to temporary patch this by checking if the current user has deleted the thread adding a check to the is_deleted field in BP_Messages_Thread::check_access() so that a regular user doing what explains @henrywright will be redirected to his inbox instead of viewing a message he deleted (see the 5254.diff attached to this ticket). This means, a user that can 'bp_moderate' will still view the message even if he deleted it, but he's not a regular user ;)

If i understand well : a thread is deleted only if sender and recipients all deleted it. 1.9 might be too close to review the process of the message component.

@imath
11 years ago

#3 @boonebgorges
11 years ago

  • Milestone changed from 1.9 to 2.0

Hi Paul, just checked it, and it's happening the same way in 1.8.1.

Thanks for checking it out, imath.

1.9 might be too close to review the process of the message component.

Yup, and since it's not a regression, let's do it for 2.0.

#4 @DJPaul
11 years ago

  • Keywords commit added

Let's get this in.

#5 @imath
11 years ago

  • Owner set to imath
  • Resolution set to fixed
  • Status changed from new to closed

In 8049:

Make sure a deleted message thread is no more viewable by the user

When a user deletes a message thread, the message is no more shown in its inbox or outbox, but typing the url of the message thread will load the message giving the impression, it has not been deleted. Reason is a message is completely deleted as soon as all recipients and senders deleted it. So we need to make sure the user will be redirected to his inbox if he tries to view a message thread he deleted.

Props henrywright

Fixes #5254

Note: See TracTickets for help on using tickets.