[buddypress-trac] [BuddyPress Trac] #7553: Xprofile field default visibility not honored during POST processing of registration form

buddypress-trac noreply at wordpress.org
Sat Jun 24 18:13:25 UTC 2017

#7553: Xprofile field default visibility not honored during POST processing of
registration form
 Reporter:  uscore713     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  high          |  Milestone:  Awaiting Review
Component:  Core          |    Version:  2.8.2
 Severity:  normal        |   Keywords:  has-patch
 I have an application requirement whereby the standard profile field
 visibility controls are NOT to be presented on the registration page, so I
 cloned the standard members/register.php template and simply removed all
 the visibility-related elements.

 This of course has the effect of no visibility-related fields being posted
 on form submission, and when the POST (usermeta) data is processed, the
 net effect is that each field's visibility is set to '''public''', as the
 processing does not take into account the field's (potentially defined)
 default visibility.

 '''This raises a bit of a security problem in our application''', as
 several profile fields are for User and Admin use.  (I elected to not post
 this report in the WordPress Hacker One program as I don't believe it
 ranks up there as a typical "security issue".)

 This problem exists in the '''BP_Signup class''' (buddypress/bp-
 members/classes/class-bp-signup.php), in the '''add_backcompat()'''
 method, at '''lines 392-393''':

 // Save the visibility level.
 $visibility_level = ! empty( $usermeta['field_' . $field_id .
 '_visibility'] ) ? $usermeta['field_' . $field_id . '_visibility'] :
 xprofile_set_field_visibility_level( $field_id, $user_id,
 $visibility_level );

 The fix for this security problem is something like the following (the mod
 we use to get past this problem for now):

 // Save the visibility level.
 // Use the field's default visibility if not present, and use 'public' IFF
 a default visibility is not defined
 $key = 'field_' . $field_id . '_visibility';
 if ( isset( $usermeta[ $key ] ) ) {
     $visibility_level = $usermeta[ $key ];
 } else {
     $vfield           = xprofile_get_field( $field_id );
     $visibility_level = isset( $vfield->default_visibility ) ?
 $vfield->default_visibility : 'public';
 xprofile_set_field_visibility_level( $field_id, $user_id,
 $visibility_level );

 This problem exists in BP 2.8.2; no other versions have been examined.
 Hopefully this can be fixed in the next point release.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7553>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list