[buddypress-trac] [BuddyPress Trac] #5130: Synchronizing activity comments to main component
buddypress-trac
noreply at wordpress.org
Thu Mar 27 18:06:26 UTC 2014
#5130: Synchronizing activity comments to main component
-------------------------+-----------------------
Reporter: r-a-y | Owner: r-a-y
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.0
Component: Core | Version: 1.2
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------
Comment (by boonebgorges):
> A subscriber does not have the WordPress capability to trash or delete a
comment.
But a subscriber can delete an activity he posted or a reply he posted to
an activity.
In 5130.03, if a subscriber deletes a reply he made on a post activity, it
will delete the comment (or trash it in a near future).
Ugh. Very good catch, imath. We can't allow for this kind of privilege
escalation, even if it's for content that the user created.
r-a-y, can we address this in a fairly cheap way? I'm thinking: in
`bp_blogs_sync_delete_from_activity_comment()`, just after you
switch_to_blog(), do a current_user_can() check. If it fails, just bail.
The activity item will still be deleted, but the blog comments will
remain. Doesn't really give any user feedback, but this seems like a case
where it's not really necessary. What do you think?
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5130#comment:27>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list