Skip to:
Content

BuddyPress.org

Opened 18 months ago

Closed 17 months ago

Last modified 16 months ago

#9231 closed defect (bug) (fixed)

Using BP REST API it's possible to retrieve information about a spammed user

Reported by: imath's profile imath Owned by: espellcaste's profile espellcaste
Milestone: 15.0.0 Priority: normal
Severity: normal Version:
Component: REST API Keywords: needs-patch
Cc: emaralive

Description

The Web version is only showing these kind of information to Administrators.

https://developer.buddypress.org/bp-rest-api/reference/members/#retrieve-a-specific-member

Change History (11)

#1 @espellcaste
18 months ago

I can't confirm this bug. Currently, only admins can return a spammed member via the REST API. Not even the spammed member himself can get his own profile.

Here's the message a spammed user gets:

## Spammed User - GET
curl "https://bp.test/wp-json/buddypress/v2/members/2?context=edit" \
     -u 'user:password'

{
  "code": "invalid_username",
  "data": null,
  "message": "<strong>Error</strong>: Your account has been marked as a spammer."
}

Other regular users will get this:

{
  "code": "bp_rest_authorization_required",
  "data": {
    "status": 403
  },
  "message": "Sorry, you are not allowed to view members with the edit context."
}

And the admin will get the member object properly.

cc: @emaralive

Last edited 18 months ago by espellcaste (previous) (diff)

This ticket was mentioned in Slack in #buddypress by espellcaste. View the logs.
18 months ago

#3 @emaralive
18 months ago

@espellcaste

It is comforting that V2 appears to not have the issue, however, V1 is the current API and, it could be that the plugin (BP-REST) that I am utilizing is not current for V1, nevertheless, this appears to have the issue which seems to fall in line with the support forum topic:

--user is a subscriber
18 is the id of the spammed user

curl -X GET --user user:password -ik site.url/wp-json/buddypress/v1/members/18

HTTP/1.1 200 OK
Date: Thu, 05 Sep 2024 12:44:13 GMT
Server: Apache/2.4.58 (Debian)
X-Robots-Tag: noindex
Link: <site.url/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Allow: GET
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8

{"id":18,"name":"Apple","user_login":"news","friendship_status":false....}

#4 @espellcaste
18 months ago

@emaralive Who's the user making the request? Is it user 18?

#5 @emaralive
18 months ago

The user who is making the request is "bing" (user_id = 3) who happens to have a user role of "subscriber". So bing is requesting member information about the user with the id of 18 who happens to be a spammed user.

#6 @espellcaste
18 months ago

Found the bug. That's helpful information. Both V1 and V2 have this problem.

#7 @emaralive
18 months ago

  • Cc emaralive added

This ticket was mentioned in Slack in #buddypress by espellcaste. View the logs.
17 months ago

This ticket was mentioned in Slack in #buddypress by espellcaste. View the logs.
17 months ago

#10 @espellcaste
17 months ago

  • Resolution set to fixed
  • Status changed from new to closed

In 14034:

BP REST API: spammed users can not be retrivied from non-admin users.

Align the BP REST API with the web version, and show spammer users to Administrators only.

Props imath and emaralive.

See #9145
Fixes #9231

This ticket was mentioned in Slack in #buddypress by espellcaste. View the logs.
16 months ago

Note: See TracTickets for help on using tickets.