[buddypress-trac] [BuddyPress Trac] #5478: Security while favorting activity

[buddypress-trac]

#5478: Security while favorting activity
--------------------------+-----------------------------
 Reporter:  mpa4hu        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  high          |  Milestone:  Awaiting Review
Component:  Core          |    Version:
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 This is not much security issue but interesting workaround.

         var type = target.hasClass('fav') ? 'fav' : 'unfav';
         var parent = target.closest('.activity-item');
         var parent_id = parent.attr('id').substr( 9,
 parent.attr('id').length );
         target.addClass('loading');
         jq.post( ajaxurl, {
                 action: 'activity_mark_' + type,
                 'cookie': bp_get_cookies(),
                 'id': parent_id
         }

 this is a client side script that handles favoriting activity.

 Then on server side when removing activity favorite
 (`bp_activity_remove_user_favorite`) you check
 `$my_favs = array_unique( array_flip( $my_favs ) );`
 `array_unique` (i think) guarantees that array meta data stays clean.

 On the other hand when adding activity as favorite
 (`bp_activity_add_user_favorite`) There is no such thing.

 at first this might not sound serious, but for example I have a filter
 thats orders activities by `favorite_count` meta. and since there is no
 check from backend if its already favorited or not, I can increment that
 meta as many times as I want.

--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5478>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac