Skip to:

Opened 4 years ago

Closed 4 years ago

#8181 closed defect (bug) (fixed)

PHP Notice generated when logged out user attempts to join an invalid user to a group via REST API

Reported by: sjregan's profile sjregan Owned by:
Milestone: 5.2.0 Priority: normal
Severity: trivial Version: 5.0.0
Component: REST API Keywords:


(This is in v5.1.0 but the version is not available in the ticket create form drop-down menu)

Given the following scenario a PHP notice will be generated:

  1. Make unauthenticated POST request to /buddypress/v1/groups/<group_id>/members API endpoint
  2. Endpoint arguments context=view, user_id is null
PHP Notice:  Trying to get property 'ID' of non-object in .../bp-groups/classes/class-bp-rest-group-membership-endpoint.php on line 337

During execution of the create_item_permissions_check() function $retval will be set to a WP_Error object and the $user variable will be false.

As the $retval !== true the following line will be executed without checking that $user is an instance of WP_User:

if ( $loggedin_user_id === $user->ID && 'view' === $request['context'] ) {

Change History (3)

#1 @sjregan
4 years ago

Sorry, during an OPTIONS request, not POST as originally stated.

#2 @imath
4 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 5.2.0

Thanks for your feedback @sjregan let’s try to have it fixed for 5.2.0

#3 @imath
4 years ago

  • Keywords needs-patch removed
  • Resolution set to fixed
  • Status changed from new to closed

I've just tested it again, there's no more PHP notice. I believe it has been fixed from our GitHub repository.

Note: See TracTickets for help on using tickets.