Skip to:
Content

BuddyPress.org

Opened 5 years ago

Closed 3 years ago

#8073 closed defect (bug) (fixed)

process_members_type_updte not checking for 1edit_users' capability

Reported by: venutius's profile Venutius Owned by: dcavins's profile dcavins
Milestone: 10.0.0 Priority: normal
Severity: normal Version:
Component: Members Keywords: needs-patch good-first-bug
Cc:

Description

Whislt checking the permission checks in buddypress/bp-members/classes/class-bp-members-admin.php I came across line 1228 which seems to omit the capability check for 'edit_users':

if ( ! bp_current_user_can( 'bp_moderate' ) && $user_id != bp_loggedin_user_id() ) {

I think this should be changed to:

if ( ! current_user_can( 'edit_users' ) && ! bp_current_user_can( 'bp_moderate' ) && $user_id != bp_loggedin_user_id() ) {

Change History (2)

#1 @imath
3 years ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 10.0.0

Hi,

I'd like to see a patch about it, if this can happen, I'm fine with including it into 10.0.0

#2 @dcavins
3 years ago

  • Owner set to dcavins
  • Resolution set to fixed
  • Status changed from new to closed

In 13161:

In BP_Members_Admin, add checks for 'edit_users' capability.

BP_Members_Admin checks the bp_moderate
capability in several situations when
checking whether or not the user can
generally edit users is also a sensible check.

Props venutius.

Fixes #8070.
Fixes #8072.
Fixes #8073.

Note: See TracTickets for help on using tickets.