Opened 7 years ago
Closed 7 years ago
#7530 closed defect (bug) (fixed)
Fetching of ALL users from bp_friends_prime_mentions_results() for non logged in users
Reported by: | dsar | Owned by: | r-a-y |
---|---|---|---|
Milestone: | 2.9 | Priority: | normal |
Severity: | normal | Version: | 2.1 |
Component: | Friends | Keywords: | has-patch |
Cc: | bn.bhandari90@… |
Description
Hello,
Currently, bp_friends_prime_mentions_results()'s only check if a user is not logged in is dependent on Wordpress filter (bp_activity_maybe_load_mentions_scripts). When another plugin sets high priority for this filter and returns true, as is the case currently with rtMedia https://github.com/rtMediaWP/rtMedia/blob/d9d060dc59fe0a153df57e2dd7e062ad5c6721e9/app/main/RTMedia.php#L220-L236
bp_friends_prime_mentions_results() will run completely even for non logged in users.
This results in listing of ALL users on all pages for non-logged in users.
This is a huge issue, and although it's initiated by rtMEdia's code, I believe Buddypress should have a check to avoid this problem. It's as easy as adding
if (get_current_user_id() == 0) { return; }
check to bp_friends_prime_mentions_results().
Maybe a better, or additional fix would be to change how BP_User_Query class works - currently passing user_id 0 to it will return all users. I think it should return no users. This would be doable by changing default user_id in it to null or false and having a proper check for it. Currently, default for user_id is 0 and check if user_id is passed is using empty().
Attachments (1)
Change History (8)
#4
@
7 years ago
Hi @bhargavbhandari90,
That's even better, thank you!
What do you think about my suggestion for changing of how BP_User_Query class works? I really think this is a bug as well, as documentation states:
user_id (optional)
Pass a single numeric user id to limit results to friends of that user. Requires the Friends component.
Default value: 0
which doesn't really happen if passed user_id is 0. In that case, all users are returned.
#5
@
7 years ago
- Component changed from (not sure) to Friends
- Keywords 2nd-opinion removed
- Milestone changed from Awaiting Review to 2.9
- Severity changed from major to normal
- Version changed from 2.8.2 to 2.1
@bhargavbhandari90 's patch looks good.
We'll commit that for v2.9.
As for @dsar 's question about user_id = 0
, I don't think we should change the default value, otherwise some plugins expecting the user_id
to be 0
will no longer work. Will need some other feedback from other devs if we want to change this behavior.
Hi @dsar,
I have a second thought on this.
This above code will also do the same thing.