Skip to:

Opened 7 years ago

Closed 7 years ago

#7530 closed defect (bug) (fixed)

Fetching of ALL users from bp_friends_prime_mentions_results() for non logged in users

Reported by: dsar's profile dsar Owned by: r-a-y's profile r-a-y
Milestone: 2.9 Priority: normal
Severity: normal Version: 2.1
Component: Friends Keywords: has-patch
Cc: bn.bhandari90@…



Currently, bp_friends_prime_mentions_results()'s only check if a user is not logged in is dependent on Wordpress filter (bp_activity_maybe_load_mentions_scripts). When another plugin sets high priority for this filter and returns true, as is the case currently with rtMedia
bp_friends_prime_mentions_results() will run completely even for non logged in users.
This results in listing of ALL users on all pages for non-logged in users.

This is a huge issue, and although it's initiated by rtMEdia's code, I believe Buddypress should have a check to avoid this problem. It's as easy as adding

if (get_current_user_id() == 0) {

check to bp_friends_prime_mentions_results().

Maybe a better, or additional fix would be to change how BP_User_Query class works - currently passing user_id 0 to it will return all users. I think it should return no users. This would be doable by changing default user_id in it to null or false and having a proper check for it. Currently, default for user_id is 0 and check if user_id is passed is using empty().

Attachments (1)

7530.patch (511 bytes) - added by bhargavbhandari90 7 years ago.
Here is the patch. Check this and let us know.

Download all attachments as: .zip

Change History (8)

#1 @bhargavbhandari90
7 years ago

  • Cc bn.bhandari90@… added

#2 @bhargavbhandari90
7 years ago

  • Version set to 2.8.2

Hi @dsar,

I have a second thought on this.

// Stop here if user is not logged in.
if ( ! is_user_logged_in() ) {

This above code will also do the same.

Last edited 7 years ago by bhargavbhandari90 (previous) (diff)

7 years ago

Here is the patch. Check this and let us know.

#3 @bhargavbhandari90
7 years ago

  • Keywords 2nd-opinion has-patch added

#4 @dsar
7 years ago

Hi @bhargavbhandari90,

That's even better, thank you!

What do you think about my suggestion for changing of how BP_User_Query class works? I really think this is a bug as well, as documentation states:

user_id (optional)
Pass a single numeric user id to limit results to friends of that user. Requires the Friends component.
Default value: 0

which doesn't really happen if passed user_id is 0. In that case, all users are returned.

#5 @r-a-y
7 years ago

  • Component changed from (not sure) to Friends
  • Keywords 2nd-opinion removed
  • Milestone changed from Awaiting Review to 2.9
  • Severity changed from major to normal
  • Version changed from 2.8.2 to 2.1

@bhargavbhandari90 's patch looks good.

We'll commit that for v2.9.

As for @dsar 's question about user_id = 0, I don't think we should change the default value, otherwise some plugins expecting the user_id to be 0 will no longer work. Will need some other feedback from other devs if we want to change this behavior.

#6 @bhargavbhandari90
7 years ago

@r-a-y I agreed.

And yes, we need some other feedback.

#7 @r-a-y
7 years ago

  • Owner set to r-a-y
  • Resolution set to fixed
  • Status changed from new to closed

In 11561:

Friends: Do not prime mention results if user is not logged in.

Props bhargavbhandari90.

Fixes #7530.

Note: See TracTickets for help on using tickets.