Opened 5 years ago
Last modified 3 years ago
#8093 new defect (bug)
Field Visibility Not Honored in PHP 7.1 & above
Reported by: | brianbws | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Contributions | Priority: | normal |
Severity: | normal | Version: | 4.3.0 |
Component: | Extended Profile | Keywords: | has-patch 2nd-opinion |
Cc: |
Description
User setting field visibility option to 'only me' still shows those fields to others.
Expected result: Field is hidden to others who are non-admins.
This appears to work fine in PHP 7.0, but breaks as soon as you upgrade the server to PHP 7.1 or 7.2.
Forum thread:
https://buddypress.org/support/topic/field-visibility-option-not-worked/
Attachments (2)
Change History (17)
#2
@
5 years ago
- Keywords reporter-feedback removed
Thanks for looking into this @boonebgorges. After your comment, I made a fresh install and I'm having issues reproducing this as well.
At the same time, I also re-confirmed the issue with the problem site. I made sure to disable all plugins except buddypress and switch to the default unmodified twentyseventeen theme (and twentysixteen as well for good measure). I can still switch the bug on and off based on PHP 7.0 and 7.1. I can't figure out what else could be causing it.
The only difference between the problem site and a fresh install are the data and the fact that the problem site has about 14 field groups and 75+ fields among them.
I'm at a loss determining what else could be going on. :(
#3
@
5 years ago
Thanks for your additional testing. If you're able, you could dig deeper by investigating what's happening in bp_xprofile_get_hidden_fields_for_user()
and related functions, in the various scenarios.
#4
@
5 years ago
After some testing. I narrowed it down to here. In bp_xprofile_get_fields_by_visibility_levels() right after the first foreach.
http://hookr.io/functions/bp_xprofile_get_fields_by_visibility_levels/
In PHP 7.0.3: $user_visibility_levels=
Array ( [38] => public [39] => public [167] => adminsonly [58] => loggedin [59] => adminsonly [60] => adminsonly [61] => adminsonly [62] => adminsonly [63] => adminsonly [64] => adminsonly [65] => adminsonly [68] => adminsonly [71] => adminsonly [72] => adminsonly [77] => adminsonly [78] => public [79] => public [80] => public [83] => public [86] => public [89] => public [92] => public [95] => public [96] => public [101] => adminsonly [106] => adminsonly [107] => public [110] => public [113] => public [114] => public [115] => public [149] => adminsonly [150] => public [154] => public [155] => public [156] => public [157] => public [163] => adminsonly [164] => adminsonly [165] => adminsonly [166] => adminsonly [168] => adminsonly [169] => adminsonly [170] => adminsonly [171] => adminsonly [172] => public [173] => public [174] => public [175] => public [176] => public [177] => public [178] => public [179] => public [184] => public [185] => public [188] => public [189] => public [190] => public [191] => public [192] => public [193] => public [194] => public [195] => public [196] => public [197] => public [198] => public [199] => public [200] => public [208] => public [209] => public )
In PHP 7.1.4 and PHP 7.2.0: $user_visibility_levels=
pp laaaaaaa a aa appp p p p p pp a ap p ppp ap pppp aaaaaaaaapppppppp pp ppppppppppppp pp
Note that $default_visibility_levels comes it correctly in all versions.
#5
@
5 years ago
- Keywords needs-testing added
- Milestone changed from Awaiting Review to 5.0.0
It appears that the value coming back from the bp_get_user_meta()
call on 1286 is a string rather than an array: https://buddypress.trac.wordpress.org/browser/tags/4.3.0/src/bp-xprofile/bp-xprofile-functions.php?marks=1286#L1281 More recent versions of PHP treat this kind of thing differently from previous versions.
How the string got to be in the database, I'm unsure. But we can likely work around the issue by enforcing the array. Could you try 8093.diff to see if it does the trick for you?
#6
@
5 years ago
Yes! I can confirm that fixes it!
Not sure how it got in there. I will say we've been doing an import of users and user data using the "Import users from CSV with meta" plugin, but I don't think we ever messed with that meta key.
https://wordpress.org/plugins/import-users-from-csv-with-meta/
Separate, but related issue, why does "Enforce field visibility" also have to be set for "Only me" to hide the field to other subscribers? Even when a subscriber hasn't overridden the visibility setting from the default "only me," the field is still shown to other subscribers unless "Enforce field visibility" is set.
#7
@
5 years ago
OK, on the separate question, I can't seem reproduce on a new install. It appears to just be an issue with my problem site. It doesn't appear to be related to PHP versions though, happens on all versions, even with the new code.
#8
@
5 years ago
- Keywords has-patch 2nd-opinion added; needs-testing removed
Hi @brianbws & @boonebgorges
I've looked deeper into the problem and discovered that if for some reasons the user meta bp_xprofile_visibility_levels
is not saved as a serialized array:
1) I confirm the visibilities are not honored,
2) it's no more possible for the user to edit his fields visibilities,
8093.patch is making sure 1) & 2) are fixed, using the is_array()
check of Boone's first patch.
It's also adding a new repair tool to completely remove custom field visibilities for all users so that when this case happens, the administrator can make sure the default visibility he chose will be applied.
I'm unable to reproduce this behavior. I've tested both of the following scenarios:
Tested with two Subscriber-level accounts.
My guess is that there's some custom code on the installation that's either modifying WP user roles/permissions, or is modifying the way that BP's profile visibility system works (like maybe a filter on
bp_xprofile_get_hidden_fields_for_user
).My guess is that the PHP version is a red herring, and there's really a difference between the two installations, but this needs further investigation. See especially
bp_xprofile_get_hidden_fields_for_user()
, which is a good place to begin debugging.