Skip to:
Content

BuddyPress.org

Opened 7 months ago

Last modified 4 months ago

#8093 new defect (bug)

Field Visibility Not Honored in PHP 7.1 & above

Reported by: brianbws Owned by:
Milestone: Up Next Priority: normal
Severity: normal Version: 4.3.0
Component: Extended Profile Keywords: has-patch 2nd-opinion
Cc:

Description

User setting field visibility option to 'only me' still shows those fields to others.

Expected result: Field is hidden to others who are non-admins.

This appears to work fine in PHP 7.0, but breaks as soon as you upgrade the server to PHP 7.1 or 7.2.

Forum thread:
https://buddypress.org/support/topic/field-visibility-option-not-worked/

Attachments (2)

8093.diff (624 bytes) - added by boonebgorges 7 months ago.
8093.patch (6.7 KB) - added by imath 4 months ago.

Download all attachments as: .zip

Change History (11)

#1 @boonebgorges
7 months ago

  • Keywords reporter-feedback added

I'm unable to reproduce this behavior. I've tested both of the following scenarios:

  1. The field is set to 'Enforce field visibility' with visibility set to 'Only Me'
  2. The field is set to 'Allow members to override' and the profile owner changes to 'Only Me'

Tested with two Subscriber-level accounts.

My guess is that there's some custom code on the installation that's either modifying WP user roles/permissions, or is modifying the way that BP's profile visibility system works (like maybe a filter on bp_xprofile_get_hidden_fields_for_user).

My guess is that the PHP version is a red herring, and there's really a difference between the two installations, but this needs further investigation. See especially bp_xprofile_get_hidden_fields_for_user(), which is a good place to begin debugging.

#2 @brianbws
7 months ago

  • Keywords reporter-feedback removed

Thanks for looking into this @boonebgorges. After your comment, I made a fresh install and I'm having issues reproducing this as well.

At the same time, I also re-confirmed the issue with the problem site. I made sure to disable all plugins except buddypress and switch to the default unmodified twentyseventeen theme (and twentysixteen as well for good measure). I can still switch the bug on and off based on PHP 7.0 and 7.1. I can't figure out what else could be causing it.

The only difference between the problem site and a fresh install are the data and the fact that the problem site has about 14 field groups and 75+ fields among them.

I'm at a loss determining what else could be going on. :(

#3 @boonebgorges
7 months ago

Thanks for your additional testing. If you're able, you could dig deeper by investigating what's happening in bp_xprofile_get_hidden_fields_for_user() and related functions, in the various scenarios.

#4 @brianbws
7 months ago

After some testing. I narrowed it down to here. In bp_xprofile_get_fields_by_visibility_levels() right after the first foreach.

http://hookr.io/functions/bp_xprofile_get_fields_by_visibility_levels/

In PHP 7.0.3: $user_visibility_levels=

Array ( [38] => public [39] => public [167] => adminsonly [58] => loggedin [59] => adminsonly [60] => adminsonly [61] => adminsonly [62] => adminsonly [63] => adminsonly [64] => adminsonly [65] => adminsonly [68] => adminsonly [71] => adminsonly [72] => adminsonly [77] => adminsonly [78] => public [79] => public [80] => public [83] => public [86] => public [89] => public [92] => public [95] => public [96] => public [101] => adminsonly [106] => adminsonly [107] => public [110] => public [113] => public [114] => public [115] => public [149] => adminsonly [150] => public [154] => public [155] => public [156] => public [157] => public [163] => adminsonly [164] => adminsonly [165] => adminsonly [166] => adminsonly [168] => adminsonly [169] => adminsonly [170] => adminsonly [171] => adminsonly [172] => public [173] => public [174] => public [175] => public [176] => public [177] => public [178] => public [179] => public [184] => public [185] => public [188] => public [189] => public [190] => public [191] => public [192] => public [193] => public [194] => public [195] => public [196] => public [197] => public [198] => public [199] => public [200] => public [208] => public [209] => public )

In PHP 7.1.4 and PHP 7.2.0: $user_visibility_levels=

 pp laaaaaaa a aa appp p p p p pp a ap p ppp ap pppp aaaaaaaaapppppppp pp ppppppppppppp pp

Note that $default_visibility_levels comes it correctly in all versions.

#5 @boonebgorges
7 months ago

  • Keywords needs-testing added
  • Milestone changed from Awaiting Review to 5.0.0

It appears that the value coming back from the bp_get_user_meta() call on 1286 is a string rather than an array: https://buddypress.trac.wordpress.org/browser/tags/4.3.0/src/bp-xprofile/bp-xprofile-functions.php?marks=1286#L1281 More recent versions of PHP treat this kind of thing differently from previous versions.

How the string got to be in the database, I'm unsure. But we can likely work around the issue by enforcing the array. Could you try 8093.diff to see if it does the trick for you?

@boonebgorges
7 months ago

#6 @brianbws
7 months ago

Yes! I can confirm that fixes it!

Not sure how it got in there. I will say we've been doing an import of users and user data using the "Import users from CSV with meta" plugin, but I don't think we ever messed with that meta key.
https://wordpress.org/plugins/import-users-from-csv-with-meta/

Separate, but related issue, why does "Enforce field visibility" also have to be set for "Only me" to hide the field to other subscribers? Even when a subscriber hasn't overridden the visibility setting from the default "only me," the field is still shown to other subscribers unless "Enforce field visibility" is set.

#7 @brianbws
7 months ago

OK, on the separate question, I can't seem reproduce on a new install. It appears to just be an issue with my problem site. It doesn't appear to be related to PHP versions though, happens on all versions, even with the new code.

@imath
4 months ago

#8 @imath
4 months ago

  • Keywords has-patch 2nd-opinion added; needs-testing removed

Hi @brianbws & @boonebgorges

I've look deeper into the problem and discovered that if for some reasons the user meta bp_xprofile_visibility_levels is not saved as a serialized array:

1) I confirm the visibilities are not honored,
2) it's no more possible for the user to edit his fields visibilities,

8093.patch is making sure 1) & 2) are fixed, using the is_array() check of Boone's first patch.

It's also adding a new repair tool to completely remove custom field visibilities for all users so that when this case happens, the administrator can make sure the default visibility he chose will be applied.

Version 0, edited 4 months ago by imath (next)

#9 @imath
4 months ago

  • Milestone changed from 5.0.0 to Up Next

Let's take more time to fix this.

Note: See TracTickets for help on using tickets.