Opened 8 years ago
Closed 8 years ago
#7113 closed defect (bug) (fixed)
Changing the username in an activity permalink can display the activity of another user
Reported by: | imath | Owned by: | r-a-y |
---|---|---|---|
Milestone: | 2.6 | Priority: | normal |
Severity: | normal | Version: | 1.2 |
Component: | Activity | Keywords: | has-patch dev-feedback commit |
Cc: |
Description
Step to reproduce:
Post an activity with user A, display the single activity, change the username in the url to user B, the activity is displayed.
I'd suggest to redirect to $activity->user_id
's profile if bp_displayed_user_id()
is not consistent.
Attachments (3)
Change History (9)
#2
@
8 years ago
The has-access.patch will end up redirecting to user's profile or login screen. So a logged in user that can access to the activity will get a wrong info. But i'm ok with whatever will be chosen :)
#3
@
8 years ago
@r-a-y actually i have doubts your patch will fix the issue if the user has access to the group in case of a group activity posted by another user.
#4
@
8 years ago
Good catch, imath. Updated patch removes the else
check, which should fix the group check issue.
has-access.patch
is what I recommended on Slack.It doesn't require us to write yet another
bp_core_redirect()
line, which I'm kind of against and because this bug only shows up if someone intentionally modifies the URI.