Context Navigation

← Previous Ticket
Next Ticket →

#7615 closed defect (bug) (fixed)

Message thread "conversation" view can be accessed under another participant's URL

Reported by:	boonebgorges	Owned by:	djpaul
Milestone:	3.0	Priority:	normal
Severity:	normal	Version:
Component:	Messages	Keywords:	has-patch
Cc:

Description

Two users, user1 and user2, both involved in a messages thread 456. Each should be able to view the thread at their respective URLs:

user1: /members/user1/messages/view/456
user2: /members/user2/messages/view/456

The screen loader function only checks to see whether the current user should have access to the thread. It doesn't check to see whether they're viewing it at the correct URL. So, user1 can view at user2's URL, and vice versa. https://buddypress.trac.wordpress.org/browser/tags/2.9.1/src/bp-messages/bp-messages-screens.php?marks=132#L107

Not really a security issue, since users (a) should have access to the content itself, and (b) can't perform any other private actions, but definitely confusing.

See attached patch for a suggested fix: bp_core_no_access() if ! bp_is_my_profile().

Attachments (1)

7615.diff (622 bytes) - added by boonebgorges 7 years ago.

Download all attachments as: .zip

Change History (3)

@boonebgorges
7 years ago

Attachment 7615.diff added

#1 @DJPaul
7 years ago

Patch looks ok

#2 @djpaul
7 years ago

Owner set to djpaul
Resolution set to fixed
Status changed from new to closed

In 11752:

Messages: fix reading messages by enforcing a canonical URL.

The screen loader function only checks to see whether the current user should have access to the message thread.
This change makes sure that user is viewing it at their correct URL.

This is not a security issue/fix, just a design oversight.

Fixes #7615

Props boonebgorges

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

BuddyPress.org