Skip to:

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#7704 closed defect (bug) (fixed)

[legacy template pack]: Ajax pagination and filters for group members list shows all members

Reported by: jdgrimes's profile jdgrimes Owned by: dcavins's profile dcavins
Milestone: 2.9.4 Priority: normal
Severity: normal Version: 2.9.2
Component: Templates Keywords:
Cc: dcavins


Steps to reproduce:

  • First be sure that you are using the Legacy template pack, and that JS is enabled in your browser.
  • Go to the Members tab for a group. Note the number of members and number of pages.
  • Then either click on page 2 (or another page), or change the selection in the order by dropdown.

Expected result:

The next page is displayed or the members list is reordered, respectively.

Actual result:

The Ajax refresh will result in all members being included in the list, not just the members of the group.

Tested on both 2.9.3 and trunk.

The cause:

The problem appears to be that bp_legacy_theme_object_template_loader() contains this:


        if ( ! empty( $_POST['template'] ) && 'groups/single/members' === $_POST['template'] && 'members' === $object ) {
                $template_part = 'groups/single/members.php';

However, in buddypress.js, in bp_filter_request(), is this:


        if ( 'friends' === object || 'group_members' === object ) {
                object = 'members';

So the value of object ends up being members instead of group_members, in the Ajax request. But it is expected to be group_members in the Ajax response handler, for the correct template to be used.

The fix:

Changing group_members to members in bp_legacy_theme_object_template_loader() fixed the issue for me.


Change History (10)

#1 @dcavins
6 years ago

  • Cc dcavins added
  • Milestone changed from Awaiting Review to 3.0
  • Owner set to dcavins
  • Status changed from new to accepted

#2 @dcavins
6 years ago

It looks like this logic was changed in this revision:

@DJPaul, removing the && 'group_members' === $object clause in bp_legacy_theme_object_template_loader() fixes this issue. Is there a situation in which 'groups/single/members' === $_POST['template'] would be set, and some other object would be set, or can we dispense with the $object check?



#3 @DJPaul
6 years ago

That was part of the last security release. We'd have to check any changes here carefully.

cc @boonebgorges

#4 @DJPaul
6 years ago

  • Milestone changed from 3.0 to 2.9.3

#5 @DJPaul
6 years ago

  • Version changed from 2.9.3 to 2.9.2

#6 @boonebgorges
6 years ago

@jdgrimes Thanks very much for the clear ticket.

@dcavins Your fix looks correct. The change in bp-legacy in [11821] was my code, and the extra 'group_members' check was meant to limit the use of this 'template' feature, but it was ill-conceived. Taking it out does appear to fix the issue, and doesn't have any security implications.

No similar change is needed at the moment in bp-nouveau. See #7689, which rethinks the way AJAX templates are chosen, and which must be resolved separately before BP 3.0.

#7 @dcavins
6 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 11871:

Fix group members list AJAX pagination.

Correct broken AJAX pagination on group members list, introduced in r11821.

Props jdgrimes.

Fixes #7704.

#8 @dcavins
6 years ago

In 11872:

Fix group members list AJAX pagination.

Correct broken AJAX pagination on group members list, introduced in r11821.

Props jdgrimes.

Fixes #7704.

This ticket was mentioned in Slack in #buddypress by dcavins. View the logs.

6 years ago

#10 @DJPaul
6 years ago

  • Milestone changed from 2.9.3 to 2.9.4

Milestone renamed

Note: See TracTickets for help on using tickets.