Opened 7 years ago
Closed 7 years ago
#7622 closed defect (bug) (fixed)
bp_message_notice_delete_link uses wrong action for nonce generation
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.0 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Messages | Keywords: | |
| Cc: |
Description
In the file buddypress/bp-messages/bp-messages-template.php in line 1226 it uses 'messages_delete_thread' as action, but it should be 'messages_delete_notice' or deletion of notices is not possible because the nonce verification fails, since it checks for 'messages_delete_notice'.
Change History (4)
#1
@
7 years ago
- Keywords reporter-feedback added
- Milestone changed from Awaiting Review to Under Consideration
#2
@
7 years ago
- Keywords reporter-feedback removed
2.9.2.
The check is in the file buddypress/bp-messages/bp-messages-actions.php in line 160, inside the bp_messages_action_edit_notice function
check_admin_referer( "messages_{$action}_notice" );
The $action in this case is delete of course. Here it fails if the notice delete button nonce gets created with 'messages_delete_thread' as action.
#3
@
7 years ago
- Milestone changed from Under Consideration to 3.0
That is an exceptionally great find. I've tracked it back at least 6 years before I gave up, it probably dates back to the first days of the project. I guess this shows how few people use notices, which is an interesting data point that we now have.
Great find @tobiashonold
Hi @tobiashonold
Where you are seeing
messages_delete_notice? I can't find that. What theme are you using, and what version of BuddyPress are you looking at this in, please?Thanks.