Skip to:
Content

BuddyPress.org

Opened 2 years ago

Closed 22 months ago

#7615 closed defect (bug) (fixed)

Message thread "conversation" view can be accessed under another participant's URL

Reported by: boonebgorges Owned by: djpaul
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Messages Keywords: has-patch
Cc:

Description

Two users, user1 and user2, both involved in a messages thread 456. Each should be able to view the thread at their respective URLs:

user1: /members/user1/messages/view/456
user2: /members/user2/messages/view/456

The screen loader function only checks to see whether the current user should have access to the thread. It doesn't check to see whether they're viewing it at the correct URL. So, user1 can view at user2's URL, and vice versa. https://buddypress.trac.wordpress.org/browser/tags/2.9.1/src/bp-messages/bp-messages-screens.php?marks=132#L107

Not really a security issue, since users (a) should have access to the content itself, and (b) can't perform any other private actions, but definitely confusing.

See attached patch for a suggested fix: bp_core_no_access() if ! bp_is_my_profile().

Attachments (1)

7615.diff (622 bytes) - added by boonebgorges 2 years ago.

Download all attachments as: .zip

Change History (3)

@boonebgorges
2 years ago

#1 @DJPaul
23 months ago

Patch looks ok

#2 @djpaul
22 months ago

  • Owner set to djpaul
  • Resolution set to fixed
  • Status changed from new to closed

In 11752:

Messages: fix reading messages by enforcing a canonical URL.

The screen loader function only checks to see whether the current user should have access to the message thread.
This change makes sure that user is viewing it at their correct URL.

This is not a security issue/fix, just a design oversight.

Fixes #7615

Props boonebgorges

Note: See TracTickets for help on using tickets.