[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor

buddypress-trac noreply at wordpress.org
Mon Jun 15 00:22:11 UTC 2015

#6504: Messages viewable to any logged out visitor
 Reporter:  CodeMonkeyBanana       |       Owner:
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  Component - Messaging  |     Version:
 Severity:  major                  |  Resolution:
 Keywords:  has-patch              |
Changes (by sbrajesh):

 * cc: brajesh@… (added)
 * keywords:   => has-patch


 The reason it is happening, we are attaching various ajax actions to
 wp_ajax_nopriv_ actions.
 In case of messages, When user is not logged in, it lists all messages
 without using user_id in the query.

 A simple solution is to break down $actions array into privileged actions
 and non privileged actions. We only attach privileged actions to wp_ajax
 and not to wp_ajax_noprim

 I have attached an initial patch, that fixes it for bp-legacy. need to
 check if it is happening in  bp-default too.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:1>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list