Opened 5 years ago
Closed 5 years ago
#8181 closed defect (bug) (fixed)
PHP Notice generated when logged out user attempts to join an invalid user to a group via REST API
Reported by: | sjregan | Owned by: | |
---|---|---|---|
Milestone: | 5.2.0 | Priority: | normal |
Severity: | trivial | Version: | 5.0.0 |
Component: | REST API | Keywords: | |
Cc: |
Description
(This is in v5.1.0 but the version is not available in the ticket create form drop-down menu)
Given the following scenario a PHP notice will be generated:
- Make unauthenticated POST request to /buddypress/v1/groups/<group_id>/members API endpoint
- Endpoint arguments context=view, user_id is null
PHP Notice: Trying to get property 'ID' of non-object in .../bp-groups/classes/class-bp-rest-group-membership-endpoint.php on line 337
During execution of the create_item_permissions_check() function $retval will be set to a WP_Error object and the $user variable will be false.
As the $retval !== true the following line will be executed without checking that $user is an instance of WP_User:
<?php if ( $loggedin_user_id === $user->ID && 'view' === $request['context'] ) {
Change History (3)
#2
@
5 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to 5.2.0
Thanks for your feedback @sjregan let’s try to have it fixed for 5.2.0
#3
@
5 years ago
- Keywords needs-patch removed
- Resolution set to fixed
- Status changed from new to closed
I've just tested it again, there's no more PHP notice. I believe it has been fixed from our GitHub repository.
Sorry, during an OPTIONS request, not POST as originally stated.