Skip to:
Content

BuddyPress.org

Opened 4 years ago

Closed 4 years ago

#6730 closed defect (bug) (fixed)

Default 'bp_xprofile_change_field_visibility' cap check passes

Reported by: r-a-y Owned by:
Milestone: 2.4.2 Priority: normal
Severity: normal Version: 2.4.0
Component: Extended Profile Keywords: has-patch commit
Cc: dcavins

Description

Reported here:
https://buddypress.org/support/topic/profile-field-visibility-enforced-but-members-can-override/

If an admin has enabled 'Enforce field visibility' for a profile field, in v2.4.0, the "Change" link still shows up when a user attempts to edit the profile field.

The problem is due to the bp_current_user_can() modifications that were made in #6501 (my fault!) and how we do capability argument checks for the 'bp_xprofile_change_field_visibility' cap.

The 'bp_xprofile_change_field_visibility' cap checks if a specific capability argument is valid with isset( $args[0] ). In BP 2.3.4, this would fail; in BP 2.4.0, this passes since $args[0] is now an empty array and not null.

I've attached a patch that fixes this with a unit test.

Attachments (1)

6730.01.patch (1.9 KB) - added by r-a-y 4 years ago.

Download all attachments as: .zip

Change History (8)

@r-a-y
4 years ago

#1 @r-a-y
4 years ago

  • Version set to 2.4.0

#2 @DJPaul
4 years ago

  • Keywords commit added

Not tested but looks ok

This ticket was mentioned in Slack in #buddypress by dcavins. View the logs.


4 years ago

#4 @dcavins
4 years ago

  • Cc dcavins added

@r-a-y This change works for me and is much more clever than what I was thinking of doing (changing the isset()s to isset() && ! empty()s). Good catch.

#5 @r-a-y
4 years ago

In 10376:

Caps: Fix issue with passing an empty array as an argument in bp_current_user_can().

Changes to bp_current_user_can() in #6501 broke older capability checks
relying on an empty argument to be passed in order to use a fallback value.

Most notably, bp_current_user_can('bp_xprofile_change_field_visibility' )
checks now passed by default. This resulted in the "Change" link to
always be visible when editing a profile field even if an admin has enabled
"Enforce field visibility" for that particular field.

This commit fixes this issue by passing a null value if there are no
extra arguments to pass in bp_current_user_can(). Commit also includes
a unit test.

See #6730 (2.4-branch).

#6 @r-a-y
4 years ago

In 10377:

Caps: Fix issue with passing an empty array as an argument in bp_current_user_can().

Changes to bp_current_user_can() in #6501 broke older capability checks
relying on an empty argument to be passed in order to use a fallback value.

Most notably, bp_current_user_can('bp_xprofile_change_field_visibility' )
checks now passed by default. This resulted in the "Change" link to
always be visible when editing a profile field even if an admin has enabled
"Enforce field visibility" for that particular field.

This commit fixes this issue by passing a null value if there are no
extra arguments to pass in bp_current_user_can(). Commit also includes
a unit test.

See #6730 (trunk).

#7 @r-a-y
4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Thanks for testing, @dcavins!

Closing this one.

Note: See TracTickets for help on using tickets.