Skip to:
Content

BuddyPress.org

Opened 2 months ago

Last modified 2 months ago

#8181 new defect (bug)

PHP Notice generated when logged out user attempts to join an invalid user to a group via REST API

Reported by: sjregan Owned by:
Milestone: 5.2.0 Priority: normal
Severity: trivial Version: 5.0.0
Component: REST API Keywords: needs-patch
Cc:

Description

(This is in v5.1.0 but the version is not available in the ticket create form drop-down menu)

Given the following scenario a PHP notice will be generated:

  1. Make unauthenticated POST request to /buddypress/v1/groups/<group_id>/members API endpoint
  2. Endpoint arguments context=view, user_id is null
PHP Notice:  Trying to get property 'ID' of non-object in .../bp-groups/classes/class-bp-rest-group-membership-endpoint.php on line 337

During execution of the create_item_permissions_check() function $retval will be set to a WP_Error object and the $user variable will be false.

As the $retval !== true the following line will be executed without checking that $user is an instance of WP_User:

<?php
if ( $loggedin_user_id === $user->ID && 'view' === $request['context'] ) {

Change History (2)

#1 @sjregan
2 months ago

Sorry, during an OPTIONS request, not POST as originally stated.

#2 @imath
2 months ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 5.2.0

Thanks for your feedback @sjregan let’s try to have it fixed for 5.2.0

Note: See TracTickets for help on using tickets.