Skip to:

Opened 10 years ago

Closed 10 years ago

#5319 closed enhancement (fixed)

Prevent friend POST request from member to himself

Reported by: megainfo's profile megainfo Owned by: boonebgorges's profile boonebgorges
Milestone: 2.0 Priority: low
Severity: minor Version: 1.9.1
Component: Friends Keywords: has-patch


Member can be a friend with himself by sending ajax post (using some web tools like Firefox Webdeveloper or Firebug).

Attachments (3)

buddypress-functions.php.patch (574 bytes) - added by megainfo 10 years ago.
Patch for Legacy template
ajax.php.patch (526 bytes) - added by megainfo 10 years ago.
Patch for default theme
5319.01.patch (1.0 KB) - added by r-a-y 10 years ago.

Download all attachments as: .zip

Change History (13)

10 years ago

Patch for Legacy template

10 years ago

Patch for default theme

#1 @megainfo
10 years ago

  • Summary changed from Prevent POST request from member to himself to Prevent friend POST request from member to himself

#2 @boonebgorges
10 years ago

  • Keywords 2nd-opinion added

I don't see that much harm can come of this, but I suppose it's a good idea to fix it.

Other devs: better to fix here, or in friends_add_friend()? Any legitimate reason anyone can think of why we'd want to allow self-friendships at the level of friends_add_friend() but not at the interface level?

#3 @r-a-y
10 years ago

I'd say put the fix in friends_add_friend(). I don't think there's a legitimate reason a person would want to be friends with themselves!

#4 @imath
10 years ago

I agree with r-a-y.

#5 @boonebgorges
10 years ago

  • Keywords needs-refresh added
  • Milestone changed from Awaiting Review to 2.0
  • Priority changed from normal to low
  • Severity changed from normal to minor

Sounds good to me. Let's get a refresh on the patch.

#6 @DJPaul
10 years ago

  • Keywords has-patch removed

10 years ago

#7 @r-a-y
10 years ago

  • Keywords has-patch added; 2nd-opinion needs-refresh removed

Attached patch checks if the initiator and the pending friend to see if they are the same. If they are the same, we bail.

Patch also fixes a logic issue with how friends_add_friend() checks if the two users are already friends. We need to use the friends_check_friendship() to actually check if two users are friends or not. Instantiating a new BP_Friends_Friendship object does not do anything.

Just wanted some feedback on the latter before I commit.

#8 @boonebgorges
10 years ago

IMHO the current behavior of returning *true* when users are already friends is incorrect. It ought to return *false*. But that's an issue for a separate ticket. Fix looks good; I'm going to commit it with unit tests.

#9 @boonebgorges
10 years ago

In 8172:

Return false friends_add_friend() when the initiator is the same as the friend

It's good to love yourself, but there's no real reason to allow
self-friendships in BuddyPress.

See #5319

Props megainfo, r-a-y

#10 @boonebgorges
10 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 8173:

Fix check for existing friendship in friends_add_friend()

The previous logic would always result in this check failing.

Fixes #5319

Props r-a-y

Note: See TracTickets for help on using tickets.