#7553 closed defect (bug) (fixed)
Xprofile field default visibility not honored during POST processing of registration form
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 2.9 | Priority: | high |
Severity: | normal | Version: | 1.6 |
Component: | Registration | Keywords: | has-patch |
Cc: |
Description
I have an application requirement whereby the standard profile field visibility controls are NOT to be presented on the registration page, so I cloned the standard members/register.php template and simply removed all the visibility-related elements.
This of course has the effect of no visibility-related fields being posted on form submission, and when the POST (usermeta) data is processed, the net effect is that each field's visibility is set to public, as the processing does not take into account the field's (potentially defined) default visibility.
This raises a bit of a security problem in our application, as several profile fields are for User and Admin use. (I elected to not post this report in the WordPress Hacker One program as I don't believe it ranks up there as a typical "security issue".)
This problem exists in the BP_Signup class (buddypress/bp-members/classes/class-bp-signup.php), in the add_backcompat() method, at lines 392-393:
// Save the visibility level. $visibility_level = ! empty( $usermeta['field_' . $field_id . '_visibility'] ) ? $usermeta['field_' . $field_id . '_visibility'] : 'public'; xprofile_set_field_visibility_level( $field_id, $user_id, $visibility_level );
The fix for this security problem is something like the following (the mod we use to get past this problem for now):
// Save the visibility level. // Use the field's default visibility if not present, and use 'public' IFF a default visibility is not defined $key = 'field_' . $field_id . '_visibility'; if ( isset( $usermeta[ $key ] ) ) { $visibility_level = $usermeta[ $key ]; } else { $vfield = xprofile_get_field( $field_id ); $visibility_level = isset( $vfield->default_visibility ) ? $vfield->default_visibility : 'public'; } xprofile_set_field_visibility_level( $field_id, $user_id, $visibility_level );
This problem exists in BP 2.8.2; no other versions have been examined. Hopefully this can be fixed in the next point release.
Attachments (2)
Change History (12)
This ticket was mentioned in Slack in #buddypress by offereins. View the logs.
8 years ago
#2
@
8 years ago
- Component changed from Core to Registration
- Milestone changed from Awaiting Review to 2.9
#3
@
8 years ago
- Keywords needs-unit-tests added
- Version changed from 2.8.2 to 1.6
I've patched what @uscore713 recommends, as well as another spot that uses xprofile_set_field_visibility_level()
in bp_core_activate_signup()
.
Needs unit tests.
This ticket was mentioned in Slack in #buddypress by r-a-y. View the logs.
8 years ago
#6
@
8 years ago
- Keywords needs-unit-tests removed
02.patch
includes a unit test exhibiting the problem.
I think this is ready for commit.
Hi @uscore713 - thanks for the report. We think you're right, and will look at for our next release, 2.9 (which has just entered beta).