Skip to:
Content

BuddyPress.org

Opened 7 months ago

#8073 new defect (bug)

process_members_type_updte not checking for 1edit_users' capability

Reported by: Venutius Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Members Keywords:
Cc:

Description

Whislt checking the permission checks in buddypress/bp-members/classes/class-bp-members-admin.php I came across line 1228 which seems to omit the capability check for 'edit_users':

if ( ! bp_current_user_can( 'bp_moderate' ) && $user_id != bp_loggedin_user_id() ) {

I think this should be changed to:

if ( ! current_user_can( 'edit_users' ) && ! bp_current_user_can( 'bp_moderate' ) && $user_id != bp_loggedin_user_id() ) {

Change History (0)

Note: See TracTickets for help on using tickets.