[buddypress-trac] [BuddyPress Trac] #7048: Move permission checks in `bp_activity_screen_single_activity_permalink` into new function

buddypress-trac noreply at wordpress.org
Thu Jan 4 12:38:21 UTC 2018

#7048: Move permission checks in `bp_activity_screen_single_activity_permalink`
into new function
 Reporter:  DJPaul                    |       Owner:
     Type:  enhancement               |      Status:  assigned
 Priority:  high                      |   Milestone:  3.0
Component:  Activity                  |     Version:
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |

Comment (by espellcaste):

 @DJPaul The current implementation took that into account.

 > if ( ! $retval && bp_is_active( 'groups' ) && $activity->component ===
 $bp->groups->id ) {

 This line check if the group component is active and if the current
 activity is group related. The `isset($bp->groups->id` part was a mistake
 in my opinion, used after the `bp_is_active( 'groups' )` was not

 > Otherwise the patch leaks private/hidden Group Activity items
 It only shows to those that we allow access to, regardless if it is
 private or not.
 It's worth mentioning this is not blocking user to see the group, it is
 allowing/blocking to see the permalink url.

 Does that mean users that created activities and later the group was
 disabled can not see via url their activities and its comments?
 Is it removed from his notification feed, history, after a group is

 >  needs to prevent access to Group Activity items when the Groups
 component is disabled
 So no access to its creators, admins, mods?? :/

 > $retval = $group->user_has_access;

 Then it goes to check if the user has access to the group activity.
 So no leakage here.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7048#comment:21>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list