[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor
buddypress-trac
noreply at wordpress.org
Mon Jun 15 00:22:11 UTC 2015
#6504: Messages viewable to any logged out visitor
-----------------------------------+------------------------------
Reporter: CodeMonkeyBanana | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Component - Messaging | Version:
Severity: major | Resolution:
Keywords: has-patch |
-----------------------------------+------------------------------
Changes (by sbrajesh):
* cc: brajesh@… (added)
* keywords: => has-patch
Comment:
Confirmed.
The reason it is happening, we are attaching various ajax actions to
wp_ajax_nopriv_ actions.
In case of messages, When user is not logged in, it lists all messages
without using user_id in the query.
A simple solution is to break down $actions array into privileged actions
and non privileged actions. We only attach privileged actions to wp_ajax
and not to wp_ajax_noprim
I have attached an initial patch, that fixes it for bp-legacy. need to
check if it is happening in bp-default too.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:1>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list