Skip to:
Content

BuddyPress.org

Opened 8 years ago

Closed 8 years ago

#7113 closed defect (bug) (fixed)

Changing the username in an activity permalink can display the activity of another user

Reported by: imath's profile imath Owned by: r-a-y's profile r-a-y
Milestone: 2.6 Priority: normal
Severity: normal Version: 1.2
Component: Activity Keywords: has-patch dev-feedback commit
Cc:

Description

Step to reproduce:

Post an activity with user A, display the single activity, change the username in the url to user B, the activity is displayed.

I'd suggest to redirect to $activity->user_id 's profile if bp_displayed_user_id() is not consistent.

Attachments (3)

7113.has-access.patch (340 bytes) - added by r-a-y 8 years ago.
7113.patch (616 bytes) - added by imath 8 years ago.
7113.has-access.02.patch (489 bytes) - added by r-a-y 8 years ago.

Download all attachments as: .zip

Change History (9)

#1 @r-a-y
8 years ago

  • Keywords has-patch dev-feedback added; needs-patch removed
  • Version set to 1.2

has-access.patch is what I recommended on Slack.

It doesn't require us to write yet another bp_core_redirect() line, which I'm kind of against and because this bug only shows up if someone intentionally modifies the URI.

@imath
8 years ago

#2 @imath
8 years ago

The has-access.patch will end up redirecting to user's profile or login screen. So a logged in user that can access to the activity will get a wrong info. But i'm ok with whatever will be chosen :)

#3 @imath
8 years ago

@r-a-y actually i have doubts your patch will fix the issue if the user has access to the group in case of a group activity posted by another user.

#4 @r-a-y
8 years ago

Good catch, imath. Updated patch removes the else check, which should fix the group check issue.

#5 @imath
8 years ago

  • Keywords commit added

Ok, just tested has-access.02. I confirm it's fixing the issue, let's go with it ;)

#6 @r-a-y
8 years ago

  • Owner set to r-a-y
  • Resolution set to fixed
  • Status changed from new to closed

In 10880:

Activity: Ensure that single activity pages are only rendered from the activity author's page.

Props tw2113, imath.

Fixes #7113.

Note: See TracTickets for help on using tickets.