Skip to:

#7530 closed defect (bug) (fixed)

Fetching of ALL users from bp_friends_prime_mentions_results() for non logged in users

Reported by: dsar Owned by: r-a-y
Milestone: 2.9 Priority: normal
Severity: normal Version: 2.1
Component: Friends Keywords: has-patch
Cc: bn.bhandari90@…



Currently, bp_friends_prime_mentions_results()'s only check if a user is not logged in is dependent on Wordpress filter (bp_activity_maybe_load_mentions_scripts). When another plugin sets high priority for this filter and returns true, as is the case currently with rtMedia
bp_friends_prime_mentions_results() will run completely even for non logged in users.
This results in listing of ALL users on all pages for non-logged in users.

This is a huge issue, and although it's initiated by rtMEdia's code, I believe Buddypress should have a check to avoid this problem. It's as easy as adding

if (get_current_user_id() == 0) {

check to bp_friends_prime_mentions_results().

Maybe a better, or additional fix would be to change how BP_User_Query class works - currently passing user_id 0 to it will return all users. I think it should return no users. This would be doable by changing default user_id in it to null or false and having a proper check for it. Currently, default for user_id is 0 and check if user_id is passed is using empty().

Attachments (1)

7530.patch (511 bytes) - added by bhargavbhandari90 10 months ago.
Here is the patch. Check this and let us know.

Download all attachments as: .zip

Change History (8)

#1 @bhargavbhandari90
10 months ago

  • Cc bn.bhandari90@… added

#2 @bhargavbhandari90
10 months ago

  • Version set to 2.8.2

Hi @dsar,

I have a second thought on this.

// Stop here if user is not logged in.
if ( ! is_user_logged_in() ) {

This above code will also do the same thing.

Version 0, edited 10 months ago by bhargavbhandari90 (next)

10 months ago

Here is the patch. Check this and let us know.

#3 @bhargavbhandari90
10 months ago

  • Keywords 2nd-opinion has-patch added

#4 @dsar
10 months ago

Hi @bhargavbhandari90,

That's even better, thank you!

What do you think about my suggestion for changing of how BP_User_Query class works? I really think this is a bug as well, as documentation states:

user_id (optional)
Pass a single numeric user id to limit results to friends of that user. Requires the Friends component.
Default value: 0

which doesn't really happen if passed user_id is 0. In that case, all users are returned.

#5 @r-a-y
10 months ago

  • Component changed from (not sure) to Friends
  • Keywords 2nd-opinion removed
  • Milestone changed from Awaiting Review to 2.9
  • Severity changed from major to normal
  • Version changed from 2.8.2 to 2.1

@bhargavbhandari90 's patch looks good.

We'll commit that for v2.9.

As for @dsar 's question about user_id = 0, I don't think we should change the default value, otherwise some plugins expecting the user_id to be 0 will no longer work. Will need some other feedback from other devs if we want to change this behavior.

#6 @bhargavbhandari90
10 months ago

@r-a-y I agreed.

And yes, we need some other feedback.

#7 @r-a-y
10 months ago

  • Owner set to r-a-y
  • Resolution set to fixed
  • Status changed from new to closed

In 11561:

Friends: Do not prime mention results if user is not logged in.

Props bhargavbhandari90.

Fixes #7530.

Note: See TracTickets for help on using tickets.